Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure

[Andreas Färber]

Am 17.04.2014 15:54, schrieb Michael S. Tsirkin:
> People sometimes detect security issues in upstream
> QEMU and don't know where to report them in a non-public way.
> Of course whoever just wants full disclosure can just go public,
> but there's nothing specified for non-public - until recently Anthony
> was doing this informally.
> 
> As I started doing this recently anyway, I can handle this on the QEMU side
> in a more formal way.
> 
> Adding a secalert mailing list as well - they are the ones who is actually
> opening CVEs, communicating issues to all downstreams etc,
> and they are already handling this for upstream, not just Red Hat.
> 
> Keeping Anthony's address around in case he wants to be informed.
> 
> Signed-off-by: Michael S. Tsirkin <address@hidden>
> ---
>  MAINTAINERS | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 34b8c3f..713546f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -52,6 +52,12 @@ General Project Administration
>  ------------------------------
>  M: Anthony Liguori <address@hidden>
>  
> +Responsible Disclosure, Reporting Security Issues
> +------------------------------
> +M: Michael S. Tsirkin <address@hidden>
> +M: Anthony Liguori <address@hidden>
> +L: address@hidden

I believe that after the QEMU Summit 2012 Anthony wanted to set up a
Wiki page on that. Was that forgotten? If so, we should add one,
otherwise we should make it findable and reference it here via W:.

Thanks for documenting this in MAINTAINERS,

Andreas

> +
>  Guest CPU cores (TCG):
>  ----------------------
>  Alpha

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg