People sometimes detect security issues in upstream
QEMU and don't know where to report them in a non-public way.
Of course whoever just wants full disclosure can just go public,
but there's nothing specified for non-public - until recently Anthony
was doing this informally.

As I started doing this recently anyway, I can handle this on the QEMU side
in a more formal way.

Adding a secalert mailing list as well - they are the ones who is actually
opening CVEs, communicating issues to all downstreams etc,
and they are already handling this for upstream, not just Red Hat.

Keeping Anthony's address around in case he wants to be informed.

Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
---
 MAINTAINERS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 34b8c3f..713546f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -52,6 +52,12 @@ General Project Administration
 ------------------------------
 M: Anthony Liguori <aligu...@amazon.com>
 
+Responsible Disclosure, Reporting Security Issues
+------------------------------
+M: Michael S. Tsirkin <m...@redhat.com>
+M: Anthony Liguori <aligu...@amazon.com>
+L: secal...@redhat.com
+
 Guest CPU cores (TCG):
 ----------------------
 Alpha
-- 
MST

Reply via email to