From 8e0c96c35f43e47b72de92799856cd501f4fae72 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 13 Sep 2021 10:23:50 +0200 Subject: SECURITY-PROCESS: tweak a little to match current practices --- docs/SECURITY-PROCESS.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index e4bccb263..383d0c070 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -62,19 +62,20 @@ announcement. - Request a CVE number from [HackerOne](https://docs.hackerone.com/programs/cve-requests.html) -- Consider informing - [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) - to prepare them about the upcoming public security vulnerability - announcement - attach the advisory draft for information. Note that - 'distros' won't accept an embargo longer than 14 days and they do not care - for Windows-specific flaws. - - Update the "security advisory" with the CVE number. - The security team commits the fix in a private branch. The commit message - should ideally contain the CVE number. This fix is usually also distributed - to the 'distros' mailing list to allow them to use the fix prior to the - public announcement. + should ideally contain the CVE number. + +- The security team also decides on and delivers a monetary reward to the + reporter as per the bug-bounty polices. + +- No more than 10 days before release, inform + [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) + to prepare them about the upcoming public security vulnerability + announcement - attach the advisory draft for information with CVE and + current patch. 'distros' does not accept an embargo longer than 14 days and + they do not care for Windows-specific flaws. - No more than 48 hours before the release, the private branch is merged into the master branch and pushed. Once pushed, the information is accessible to -- cgit v1.2.1