On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> wrote: > People sometimes detect security issues in upstream > QEMU and don't know where to report them in a non-public way. > Of course whoever just wants full disclosure can just go public, > but there's nothing specified for non-public - until recently Anthony > was doing this informally. > > As I started doing this recently anyway, I can handle this on the QEMU side > in a more formal way. > > Adding a secalert mailing list as well - they are the ones who is actually > opening CVEs, communicating issues to all downstreams etc, > and they are already handling this for upstream, not just Red Hat. > > Keeping Anthony's address around in case he wants to be informed. > > Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
What about using qemu-secur...@nongnu.org and creating that as a moderated mailing list with no public archive? That way there's a single contact point and there can be many people backing it up to make sure that disclosures are handled very quickly. Regards, Anthony Liguori > --- > MAINTAINERS | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/MAINTAINERS b/MAINTAINERS > index 34b8c3f..713546f 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -52,6 +52,12 @@ General Project Administration > ------------------------------ > M: Anthony Liguori <aligu...@amazon.com> > > +Responsible Disclosure, Reporting Security Issues > +------------------------------ > +M: Michael S. Tsirkin <m...@redhat.com> > +M: Anthony Liguori <aligu...@amazon.com> > +L: secal...@redhat.com > + > Guest CPU cores (TCG): > ---------------------- > Alpha > -- > MST >
