On Tue, Apr 29, 2014 at 12:09 PM, Michael S. Tsirkin <m...@redhat.com> wrote: > On Tue, Apr 29, 2014 at 09:56:19AM +0100, Peter Maydell wrote: >> On 29 April 2014 06:51, Michael S. Tsirkin <m...@redhat.com> wrote: >> > If not too late, I'd like to discuss our security process. >> > Do we as the project generally agree to use responsible disclosure policy >> > http://en.wikipedia.org/wiki/Responsible_disclosure ? >> >> I think something like that makes sense. I'm a bit wary that >> we write up some complicated policy that we're not then >> in practice capable of executing given our level of resources. >> We should certainly write out some documentation though... >> >> thanks >> -- PMM > > I didn't have anything complex in mind. > > Let's just make clear how to contact us securely, when to contact that > list, and what we'll do with the info. I cobbled together the > following: > http://wiki.qemu.org/SecurityProcess
Looks good. Responsible disclosure plus who to contact should be enough to help people report security issues properly. Stefan
