On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote: > On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <m...@redhat.com> wrote: > > People sometimes detect security issues in upstream > > QEMU and don't know where to report them in a non-public way. > > Of course whoever just wants full disclosure can just go public, > > but there's nothing specified for non-public - until recently Anthony > > was doing this informally. > > > > As I started doing this recently anyway, I can handle this on the QEMU side > > in a more formal way. > > > > Adding a secalert mailing list as well - they are the ones who is actually > > opening CVEs, communicating issues to all downstreams etc, > > and they are already handling this for upstream, not just Red Hat. > > > > Keeping Anthony's address around in case he wants to be informed. > > > > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> > > What about using qemu-secur...@nongnu.org and creating that as a > moderated mailing list with no public archive? > > That way there's a single contact point and there can be many people > backing it up to make sure that disclosures are handled very quickly. > > Regards, > > Anthony Liguori
Also I'd like a more explicit name, we don't want general security related discussions on that list. qemu-secal...@nongnu.org ? > > --- > > MAINTAINERS | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/MAINTAINERS b/MAINTAINERS > > index 34b8c3f..713546f 100644 > > --- a/MAINTAINERS > > +++ b/MAINTAINERS > > @@ -52,6 +52,12 @@ General Project Administration > > ------------------------------ > > M: Anthony Liguori <aligu...@amazon.com> > > > > +Responsible Disclosure, Reporting Security Issues > > +------------------------------ > > +M: Michael S. Tsirkin <m...@redhat.com> > > +M: Anthony Liguori <aligu...@amazon.com> > > +L: secal...@redhat.com > > + > > Guest CPU cores (TCG): > > ---------------------- > > Alpha > > -- > > MST > >
