summaryrefslogtreecommitdiff
path: root/SECURITY.md
Commit message (Collapse)AuthorAgeFilesLines
* SECURITY.md: Increase embargo period from 3-5 to 10-15 business days.Ben Pfaff2016-04-101-1/+1
| | | | | | | | | | | When we recently ran a genuine vulnerability through this process, we discovered that 3-5 days was far too short. The business processes behind releasing fixed versions of software at companies that use Open vSwitch cannot cope with such rapid turnaround, due e.g. to QA and other processes. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ryan Moats <rmoats@us.ibm.com> Acked-by: Flavio Leitner <fbl@redhat.com>
* SECURITY.md: Add advisory document details.Ben Pfaff2016-03-291-4/+100
| | | | | | Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ryan Moats <rmoats@us.ibm.com> Acked-by: Justin Pettit <jpettit@ovn.org>
* SECURITY.md: Update.Andrew Kampjes2015-01-131-10/+21
| | | | | | | | | Add bit about reporting vulns with GPG. Add generalised rules for vulnerabilties. Signed-off-by: Andrew Kampjes <a.kampjes@gmail.com> [blp@nicira.com edited and removed text about not using public lists] Signed-off-by: Ben Pfaff <blp@nicira.com>
* SECURITY.md: LTS branches triggers version releaseFlavio Leitner2015-01-071-0/+3
| | | | | | | | | | | The release cycle is in order of months currently, so when a security fix is applied to LTS (long-term support) branches, it is recommended to release a new version. The idea is to keep the latest LTS tarball less vulnerable. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
* SECURITY.md: disclosure date can be negotiatedFlavio Leitner2015-01-071-3/+10
| | | | | | | | | | Stakeholders might need extra time to provide the update, so let's leave it open to negotiate case by case with the final word on the Open vSwitch security team's hands. A default policy is provided as a reference. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
* SECURITY.md: contributors must agree to confidentialityFlavio Leitner2015-01-071-2/+1
| | | | | | | | | There is no point in having the special process if a contributor refuses or doesn't agree with the confidentiality terms. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
* SECURITY: New document describing proposed security process for OVS.Ben Pfaff2015-01-061-0/+154
Open vSwitch needs some kind of process for handling vulnerabilities. So far, we've been pretty lucky that way, but it can't last forever, and I think we'll be better off if we have at least the outline of an established process whenever a significant vulnerability comes along. Here's my draft of a process based on the documentation of the OpenStack process at https://wiki.openstack.org/wiki/Vulnerability_Management. I don't have a lot of experience with this kind of thing myself, so I'd appreciate critical review from anyone who does. Signed-off-by: Ben Pfaff <blp@nicira.com> Reviewed-by: Flavio Leitner <fbl@redhat.com> Acked-by: Justin Pettit <jpettit@nicira.com> Acked-by: Thomas Graf <tgraf@noironetworks.com>
View Lorry Controller Status