Qt Contributor Summit 2019 - Security Policy

See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819

• Make the security core team a very small
  • Must be Qt Project Approver
• Subscribed people to the security list is larger
• Our security processes already include:
  • "Four eyes" review process (no one can introduce their own changes)
  • Static analyses (Giuseppe uploads every Sunday)
  • Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
  • Update third-party components every release
• Third-party component updating:
  • For Qt5, remain as is, with manual processes
  • For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too
  • We may need to patch when there are fixes from third-parties that are not in any release yet
• Proposal: third-party support bundle
  • For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs
  • Updates whenever there are new releases for those third-parties and when there are fixes necessary
  • Shared among all Qt versions
  • Release announcements include the vulnerabilities fixed
  • Time frame: probably for 6.0
• Proposal: core security team monitors third party CVE feeds
  • Update the bundled sources

The Core Security Team

The Core team is responsible for:

• Moderating emails to security@qt-project.org
• Triaging incoming reports, removing those that aren't security issues
• Informing full security team (includes all maintainers)
• Determining the responsible person for fixing the issue
• Security issues are initially P0, but can be lowered after investigation
• When confirmed as a security issue, Core Security Team obtains CVE number
• Ensuring assignee for fix is working on it

Who is on this team? Volker will discuss with the Qt Company management and report.