On Sun, Jan 8, 2012 at 2:01 PM, Dor Laor <dl...@redhat.com> wrote: > On 01/06/2012 07:25 PM, Chris Wright wrote: >> >> * Corey Bryant (cor...@linux.vnet.ibm.com) wrote: >>> >>> Count me in for step 2. A good approach may be to run a static >>> analysis tool against the code, followed by a manual scan of the >>> code for common vulnerabilities that static analysis can't find. >> >> >> Good idea. Folks are already running things like Coverity. The false >> positive rate is high enough that it's a lot to wade through at first >> (so extra eyes could be quite helpful here). Perhaps the people who >> are involved in this could share some of their findings. > > > Markus already done a pretty extensive review and cleanup using Coverity. > I'm not sure if he managed to cover all the real issues, have you? > > btw: in case a real security flaw is detected, I like to ask the audit > volunteering folks to report a CVE [1] and not to disclose the info till an > embargo is raised.
The process I have followed is to raise a Launchpad bug and tick "This bug is a security vulnerability": https://bugs.launchpad.net/qemu/+filebug Either way, there needs to be simple instructions on how to submit security vulnerability information and who gets to see that information. > I think that kvm and qemu need to have a security page like this: > http://www.webkit.org/security/ Good idea. Once there is a consensus I can write up a page on qemu.org. Stefan
