On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> wrote: > > People sometimes detect security issues in upstream > > QEMU and don't know where to report them in a non-public way. > > Of course whoever just wants full disclosure can just go public, > > but there's nothing specified for non-public - until recently Anthony > > was doing this informally. > > > > As I started doing this recently anyway, I can handle this on the QEMU side > > in a more formal way. > > > > Adding a secalert mailing list as well - they are the ones who is actually > > opening CVEs, communicating issues to all downstreams etc, > > and they are already handling this for upstream, not just Red Hat. > > > > Keeping Anthony's address around in case he wants to be informed. > > > > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > What about using qemu-secur...@nongnu.org and creating that as a > moderated mailing list with no public archive? > > That way there's a single contact point and there can be many people > backing it up to make sure that disclosures are handled very quickly. > > Regards, > > Anthony Liguori
I prefer to be listed directly, for example some people might want to use my public key to encrypt the mail. But I'm not sure we want the list to be moderated - what does this buy us? We want to make subscriptions limited in some way though - how is it done? > > --- > > MAINTAINERS | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/MAINTAINERS b/MAINTAINERS > > index 34b8c3f..713546f 100644 > > --- a/MAINTAINERS > > +++ b/MAINTAINERS > > @@ -52,6 +52,12 @@ General Project Administration > > ------------------------------ > > M: Anthony Liguori <aligu...@amazon.com> > > > > +Responsible Disclosure, Reporting Security Issues > > +------------------------------ > > +M: Michael S. Tsirkin <m...@redhat.com> > > +M: Anthony Liguori <aligu...@amazon.com> > > +L: secal...@redhat.com > > + > > Guest CPU cores (TCG): > > ---------------------- > > Alpha > > -- > > MST > >