From e9cc2750f21e1a072d0e94a3320ab3f6a735a266 Mon Sep 17 00:00:00 2001 From: Edwin Kempin Date: Tue, 1 Dec 2020 13:02:46 +0100 Subject: [PATCH] Document that a CVE should be filed for security issues Googlers can request CVEs at https://goto2.corp.google.com/cve-request (Google-internal link that only works for Googlers). Bug: Issue 11621 Signed-off-by: Edwin Kempin Change-Id: Ia21f47ad345767351f40b7504636c65abb931b26 --- Documentation/dev-processes.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Documentation/dev-processes.txt b/Documentation/dev-processes.txt index 0eb3972d6b..68e56ba0af 100644 --- a/Documentation/dev-processes.txt +++ b/Documentation/dev-processes.txt @@ -271,6 +271,15 @@ bug-fixes anymore. It's also possible that the ESC decides that an issue is not a security issue and the embargo is lifted immediately. +. Filing a CVE ++ +For every security issue a CVE that describes the issue and lists the affected +releases should be filed. Filing a CVE can be done by any maintainer that works +for an organization that can request CVE numbers (e.g. Googlers). The CVE +number must be included in the release notes. The CVE itself is only made +public after fixed released have been published and the embargo has been +lifted. + . Implementation of the security fix: + To keep the embargo intact, security fixes cannot be developed and reviewed in @@ -316,6 +325,8 @@ link:https://groups.google.com/d/forum/repo-discuss[repo-discuss,role=external,w This ends the embargo and any issue that discusses the security vulnerability should be made public. +. Publish the CVE + . Follow-Up + The ESC should discuss if there are any learnings from the security