I previously raised the idea of using GitLab issues for security disclosures:
https://lists.gnu.org/archive/html/qemu-devel/2026-05/msg04582.html This patch proposal formalizes that into a concrete proposal: * qemu-security is entirely discontinued * "confidential" GitLab issues are to be used * The priority is to have a low overhead process that is as close to normal bug & development workflow as possible. * No embargoes will be accepted, beyond the time needed for a maintainer to develop a patch, unless extenuating scenarios apply. A vendor's/user's desire to delay to suit their arbitrary software upgrade schedule is NOT an extenuating scenario. * All confidential issues will be expected to be made public, either when the patch is proposed to qemu-devel, or sooner if a issue is low severity and a patch is not a priority for the manitainer * Eliminate dependency on any single maintainer/person to the greatest extent practical With the move to use of the issue tracker, my intention is to use a script to bulk import all disclosures received by [email protected] since March 1st 2026. The imported issues will reflect the current triage / resolution state of each disclosure. IOW, completed issues will be immediately marked closed upon import, non-virt use cases issues will be marked public, and outstanding virt use case issues will remain confidential. The issue description will *NOT* be re-formatted according to the QEMU bug template. Most disclosures have been provided via email in markdown format, so this will be imported 'as is' as the full description with no editting. The "reporter" in these cases will be a throwaway "bot" account but the orignal reporter's name, email, date and message-id will be recorded. Daniel P. Berrangé (3): contribute: reformat/restructure bug report guidance contribute: add automated tool disclosure to bug reporting contribute: switch security process to gitlab confidential issues contribute/report-a-bug.md | 63 ++++--- contribute/security-process.md | 309 +++++++++++++++------------------ 2 files changed, 184 insertions(+), 188 deletions(-) -- 2.54.0
