diff options
-rw-r--r-- | docs/SECURITY-PROCESS.md | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index e4bccb263..383d0c070 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -62,19 +62,20 @@ announcement. - Request a CVE number from [HackerOne](https://docs.hackerone.com/programs/cve-requests.html) -- Consider informing - [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) - to prepare them about the upcoming public security vulnerability - announcement - attach the advisory draft for information. Note that - 'distros' won't accept an embargo longer than 14 days and they do not care - for Windows-specific flaws. - - Update the "security advisory" with the CVE number. - The security team commits the fix in a private branch. The commit message - should ideally contain the CVE number. This fix is usually also distributed - to the 'distros' mailing list to allow them to use the fix prior to the - public announcement. + should ideally contain the CVE number. + +- The security team also decides on and delivers a monetary reward to the + reporter as per the bug-bounty polices. + +- No more than 10 days before release, inform + [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) + to prepare them about the upcoming public security vulnerability + announcement - attach the advisory draft for information with CVE and + current patch. 'distros' does not accept an embargo longer than 14 days and + they do not care for Windows-specific flaws. - No more than 48 hours before the release, the private branch is merged into the master branch and pushed. Once pushed, the information is accessible to |