Qt Contributor Summit 2019 - Security Policy: Difference between revisions
Jump to navigation
Jump to search
(Created page with "See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819 * Make the security core team a very small ** Must be approver * Subscribed people to the secu...") |
No edit summary |
||
Line 2: | Line 2: | ||
* Make the security core team a very small | * Make the security core team a very small | ||
** Must be | ** Must be Qt Project Approver | ||
* Subscribed people to the security list is larger | * Subscribed people to the security list is larger | ||
* Our security processes already include: | * Our security processes already include: | ||
Line 18: | Line 18: | ||
** Shared among all Qt versions | ** Shared among all Qt versions | ||
** Release announcements include the vulnerabilities fixed | ** Release announcements include the vulnerabilities fixed | ||
** Time frame: probably for 6.0 | |||
* Proposal: core security team monitors third party CVE feeds | |||
** Update the bundled sources | |||
== The Core Security Team == | |||
The '''Core''' team is responsible for: | |||
* Moderating emails to security@qt-project.org | |||
* Triaging incoming reports, removing those that aren't security issues | |||
* Informing full security team (includes all maintainers) | |||
* Determining the responsible person for fixing the issue | |||
* Security issues are initially P0, but can be lowered after investigation | |||
* When confirmed as a security issue, Core Security Team obtains CVE number | |||
Who is on this team? Volker will discuss with the Qt Company management and report. | |||
* Ensuring assignee for fix is working on it |
Revision as of 10:38, 21 November 2019
See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819
- Make the security core team a very small
- Must be Qt Project Approver
- Subscribed people to the security list is larger
- Our security processes already include:
- "Four eyes" review process (no one can introduce their own changes)
- Static analyses (Giuseppe uploads every Sunday)
- Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
- Update third-party components every release
- Third-party component updating:
- For Qt5, remain as is, with manual processes
- For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too
- We may need to patch when there are fixes from third-parties that are not in any release yet
- Proposal: third-party support bundle
- For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs
- Updates whenever there are new releases for those third-parties and when there are fixes necessary
- Shared among all Qt versions
- Release announcements include the vulnerabilities fixed
- Time frame: probably for 6.0
- Proposal: core security team monitors third party CVE feeds
- Update the bundled sources
The Core Security Team
The Core team is responsible for:
- Moderating emails to security@qt-project.org
- Triaging incoming reports, removing those that aren't security issues
- Informing full security team (includes all maintainers)
- Determining the responsible person for fixing the issue
- Security issues are initially P0, but can be lowered after investigation
- When confirmed as a security issue, Core Security Team obtains CVE number
Who is on this team? Volker will discuss with the Qt Company management and report.
- Ensuring assignee for fix is working on it