<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <!-- This file is autogenerated from securityprocess.html.in Do not edit this file. Changes will be lost. --> <!-- This page was generated at Mon Nov 13 21:46:23 UTC 2017. --> <head> <meta charset="UTF-8"/> <meta name="viewport" content="width=device-width, initial-scale=1"/> <link rel="stylesheet" type="text/css" href="main.css"/> <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"/> <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"/> <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"/> <link rel="manifest" href="/manifest.json"/> <meta name="theme-color" content="#ffffff"/> <title>libvirt: Security Process</title> <meta name="description" content="libvirt, virtualization, virtualization API"/> <script type="text/javascript"> <!-- function init() { window.addEventListener('scroll', function(e){ var distanceY = window.pageYOffset || document.documentElement.scrollTop, shrinkOn = 94 home = document.getElementById("home"); links = document.getElementById("jumplinks"); search = document.getElementById("search"); body = document.getElementById("body"); if (distanceY > shrinkOn) { if (home.className != "navhide") { body.className = "navhide" home.className = "navhide" links.className = "navhide" search.className = "navhide" } } else { if (home.className == "navhide") { body.className = "" home.className = "" links.className = "" search.className = "" } } }); } window.onload = init(); --> </script> </head> <body> <div id="body"> <div id="content"> <h1>Security Process</h1> <ul> <li> <a href="#reporting">Reporting security issues</a> </li> <li> <a href="#seclist">Security team</a> </li> <li> <a href="#embargo">Publication embargo policy</a> </li> <li> <a href="#cve">CVE allocation</a> </li> <li> <a href="#branches">Branch fixing policy</a> </li> <li> <a href="#notification">Notification of issues</a> </li> </ul> <p> The libvirt project believes in responsible disclosure of security problems, to allow vendors time to prepare and distribute patches for problems ahead of their publication. This page describes how the process works and how to report potential security issues. </p> <h2> <a id="reporting">Reporting security issues</a> <a class="headerlink" href="#reporting" title="Permalink to this headline">¶</a> </h2> <p> In the event that a bug in libvirt is found which is believed to have (potential) security implications there is a dedicated contact to which a bug report / notification should be directed. Send an email with as many details of the problem as possible (ideally with steps to reproduce) to the following email address: </p> <pre> <a href="mailto:libvirt-security@redhat.com">libvirt-security@redhat.com</a> </pre> <p> NB. while this email address is backed by a mailing list, it is invitation only and moderated for non-members. As such you will receive an auto-reply indicating the report is held for moderation. Postings by non-members will be approved by a moderator and the reporter copied on any replies. </p> <h2> <a id="seclist">Security team</a> <a class="headerlink" href="#seclist" title="Permalink to this headline">¶</a> </h2> <p> The libvirt security team is made up of a subset of the libvirt core development team which covers the various distro maintainers of libvirt, along with nominated security engineers representing the various vendors who distribute libvirt. The team is responsible for analysing incoming reports from users to identify whether a security problem exists and its severity. It then works to produce a fix for all official stable branches of libvirt and co-ordinate embargo dates between vendors to allow simultaneous release of the fix by all affected parties. </p> <p> If you are a security representative of a vendor distributing libvirt and would like to join the security team, send an email to the afore-mentioned security address. Typically an existing member of the security team will have to vouch for your credentials before membership is approved. All members of the security team are <strong>required to respect the embargo policy</strong> described below. </p> <h2> <a id="embargo">Publication embargo policy</a> <a class="headerlink" href="#embargo" title="Permalink to this headline">¶</a> </h2> <p> The libvirt security team operates a policy of <a href="http://en.wikipedia.org/wiki/Responsible_disclosure">responsible disclosure</a>. As such any security issue reported, that is not already publicly disclosed elsewhere, will have an embargo date assigned. Members of the security team agree not to publicly disclose any details of the security issue until the embargo date expires. </p> <p> The general aim of the team is to have embargo dates which are two weeks or less in duration. If a problem is identified with a proposed patch for a security issue, requiring further investigation and bug fixing, the embargo clock may be restarted. In exceptional circumstances longer initial embargoes may be negotiated by mutual agreement between members of the security team and other relevant parties to the problem. Any such extended embargoes will aim to be at most one month in duration. </p> <h2> <a id="cve">CVE allocation</a> <a class="headerlink" href="#cve" title="Permalink to this headline">¶</a> </h2> <p> The libvirt security team will associate each security issue with a CVE number. The CVE numbers will usually be allocated by one of the vendor security engineers on the security team. </p> <h2> <a id="branches">Branch fixing policy</a> <a class="headerlink" href="#branches" title="Permalink to this headline">¶</a> </h2> <p> The libvirt community maintains one or more stable release branches at any given point in time. The security team will aim to publish fixes for GIT master (which will become the next major release) and each currently maintained stable release branch. The distro maintainers will be responsible for backporting the officially published fixes to other release branches where applicable. </p> <h2> <a id="notification">Notification of issues</a> <a class="headerlink" href="#notification" title="Permalink to this headline">¶</a> </h2> <p> When an embargo expires, security issues will be announced on both the libvirt development and announcement <a href="https://libvirt.org/contact.html#email">mailing lists</a>. </p> </div> </div> <div id="nav"> <div id="home"> <a href="index.html">Home</a> </div> <div id="jumplinks"> <ul> <li> <a href="downloads.html">Download</a> </li> <li> <a href="contribute.html">Contribute</a> </li> <li> <a href="docs.html">Docs</a> </li> </ul> </div> <div id="search"> <form action="search.php" enctype="application/x-www-form-urlencoded" method="get"> <div> <input name="query" type="text" size="12" value=""/> <input name="submit" type="submit" value="Go"/> </div> </form> </div> </div> <div id="footer"> <div id="contact"> <h3>Contact</h3> <ul> <li> <a href="contact.html#email">email</a> </li> <li> <a href="contact.html#irc">irc</a> </li> </ul> </div> <div id="community"> <h3>Community</h3> <ul> <li> <a href="https://twitter.com/hashtag/libvirt">twitter</a> </li> <li> <a href="https://plus.google.com/communities/109522598353007505282">google+</a> </li> <li> <a href="http://stackoverflow.com/questions/tagged/libvirt">stackoverflow</a> </li> <li> <a href="http://serverfault.com/questions/tagged/libvirt">serverfault</a> </li> </ul> </div> <div id="conduct"> Participants in the libvirt project agree to abide by <a href="governance.html#codeofconduct">the project code of conduct</a></div> <br class="clear"/> </div> </body> </html>