mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
security-team: Add section on multi-project embargoes
This text is migrated from the Security private reporting wiki page [1], originally written by Marta. [1]: https://wiki.yoctoproject.org/wiki/index.php?title=Security_private_reporting&type=revision&diff=86034&oldid=86033 Cc: Marta Rybczynska <marta.rybczynska@ygreky.com> (From yocto-docs rev: 365b24e25f47ab91ccdabd309aeb34e5ef5a9eb7) Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit c5438ff6f02856afaff9575ac21e9959158efc4b) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
@@ -80,6 +80,28 @@ vulnerability as quickly as possible.
|
||||
The Yocto Project Security team adheres to the 90 days disclosure policy
|
||||
by default. An increase of the embargo time is possible when necessary.
|
||||
|
||||
Handling multi-project embargoes
|
||||
--------------------------------
|
||||
|
||||
In rare cases, a severe security issue affects multiple projects. This might be
|
||||
numerous projects having a similar issue because of design, coding pattern, or
|
||||
reuse of the same code (an example of this situation is :cve_nist:`2023-44487`
|
||||
where multiple web servers share a design weakness). It might also be a
|
||||
high-profile issue in a commonly used library (like OpenSSL). In such cases,
|
||||
the project, learning first about the issue, might decide to notify other
|
||||
affected projects confidentially so that they come up with a synchronized fix.
|
||||
It might also be the affected project informing major distributions to roll out
|
||||
the update simultaneously.
|
||||
|
||||
Such notifications happen over confidential, non-public means. Typically, the
|
||||
project initiating this "embargo" directly notifies a selected number of people
|
||||
from each project, including a subset of the security team. When Yocto Project
|
||||
is a part of such a notified group, developers prepare fixes on separate
|
||||
infrastructure and test it. They might also include additional developers and
|
||||
domain experts who can help with the fix and eventual regressions. When the
|
||||
embargo is lifted, they send a patch to the relevant public list, and the usual
|
||||
review process starts.
|
||||
|
||||
Security Team Members
|
||||
=====================
|
||||
|
||||
|
||||
Reference in New Issue
Block a user