On Tue, Apr 29, 2014 at 09:56:19AM +0100, Peter Maydell wrote: > On 29 April 2014 06:51, Michael S. Tsirkin <m...@redhat.com> wrote: > > If not too late, I'd like to discuss our security process. > > Do we as the project generally agree to use responsible disclosure policy > > http://en.wikipedia.org/wiki/Responsible_disclosure ? > > I think something like that makes sense. I'm a bit wary that > we write up some complicated policy that we're not then > in practice capable of executing given our level of resources. > We should certainly write out some documentation though... > > thanks > -- PMM
I didn't have anything complex in mind. Let's just make clear how to contact us securely, when to contact that list, and what we'll do with the info. I cobbled together the following: http://wiki.qemu.org/SecurityProcess -- MST
