Qt Contributor Summit 2019 - Security Policy: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
(Created page with "See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819 * Make the security core team a very small ** Must be approver * Subscribed people to the secu...")
 
(Add link to mentioned session)
 
(2 intermediate revisions by one other user not shown)
Line 2: Line 2:


* Make the security core team a very small
* Make the security core team a very small
** Must be approver
** Must be Qt Project Approver
* Subscribed people to the security list is larger
* Subscribed people to the security list is larger
* Our security processes already include:
* Our security processes already include:
** "Four eyes" review process (no one can introduce their own changes)
** "Four eyes" review process (no one can introduce their own changes)
** Static analyses (Giuseppe uploads every Sunday)
** Static analyses (Giuseppe uploads every Sunday)
** Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
** Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a [[Qt_Contributors_Summit_2019_-Fuzzing_Qt|session on this]] and will have more details)
** Update third-party components every release
** Update third-party components every release
* Third-party component updating:
* Third-party component updating:
Line 18: Line 18:
** Shared among all Qt versions
** Shared among all Qt versions
** Release announcements include the vulnerabilities fixed
** Release announcements include the vulnerabilities fixed
** Time frame: probably for 6.0
* Proposal: core security team monitors third party CVE feeds
** Update the bundled sources
== The Core Security Team ==
The '''Core''' team is responsible for:
* Moderating emails to security@qt-project.org
* Triaging incoming reports, removing those that aren't security issues
* Informing full security team (includes all maintainers)
* Determining the responsible person for fixing the issue
* Security issues are initially P0, but can be lowered after investigation
* When confirmed as a security issue, Core Security Team obtains CVE number
* Ensuring assignee for fix is working on it
Who is on this team? Volker will discuss with the Qt Company management and report.

Latest revision as of 14:23, 2 December 2019

See QUIP for proposal - https://codereview.qt-project.org/c/meta/quips/+/278819

  • Make the security core team a very small
    • Must be Qt Project Approver
  • Subscribed people to the security list is larger
  • Our security processes already include:
    • "Four eyes" review process (no one can introduce their own changes)
    • Static analyses (Giuseppe uploads every Sunday)
    • Fuzzing is done for some modules that are designed to consume untrusted data (Robert had a session on this and will have more details)
    • Update third-party components every release
  • Third-party component updating:
    • For Qt5, remain as is, with manual processes
    • For Qt 6, with cmake, upgrading should be easy (single command), so customers can do it too
    • We may need to patch when there are fixes from third-parties that are not in any release yet
  • Proposal: third-party support bundle
    • For all binary builds, create a bundle of all third-party content built as regular shared libraries/DLLs
    • Updates whenever there are new releases for those third-parties and when there are fixes necessary
    • Shared among all Qt versions
    • Release announcements include the vulnerabilities fixed
    • Time frame: probably for 6.0
  • Proposal: core security team monitors third party CVE feeds
    • Update the bundled sources

The Core Security Team

The Core team is responsible for:

  • Moderating emails to security@qt-project.org
  • Triaging incoming reports, removing those that aren't security issues
  • Informing full security team (includes all maintainers)
  • Determining the responsible person for fixing the issue
  • Security issues are initially P0, but can be lowered after investigation
  • When confirmed as a security issue, Core Security Team obtains CVE number
  • Ensuring assignee for fix is working on it

Who is on this team? Volker will discuss with the Qt Company management and report.