From 9dccef4d9b054fffe60726196c8f35c3e3dd8d0e Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <marta.rybczynska@huawei.com>
Date: Mon, 4 Oct 2021 16:19:53 +0200
Subject: [PATCH] security: add the security bug tracker

Add a description of the security bug tracker and describe how to correctly
create issues. Email and GPG key of the team will be added further.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 definitions.rst         |  1 +
 security/cve_policy.rst | 14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/definitions.rst b/definitions.rst
index 0b9b9ed..2279d95 100644
--- a/definitions.rst
+++ b/definitions.rst
@@ -5,3 +5,4 @@
 .. |contact_info| replace:: <TBD>
 .. |security_contact| replace:: <TBD>
 .. |security_public_key| replace:: <TBD>
+.. |security_bugtracker| replace:: <https://git.ostc-eu.org/security-team/security-bugs/-/issues>
diff --git a/security/cve_policy.rst b/security/cve_policy.rst
index 5d54a8d..a77692a 100644
--- a/security/cve_policy.rst
+++ b/security/cve_policy.rst
@@ -24,15 +24,21 @@ How to report a vulnerability?
 
 If you think you have found a security issue in our distribution, please contact
 us immediatelly by posting a confidential issue in our bug tracker in a
-dedicated security project (include details on how to make it confidential), or
-by email using the address |security_contact|.
+dedicated `security project |security_bugtracker|`.
+
+To do so, login into our issue tracker or create a new account if you do not have one
+yet. Click on ``New issue``, then make sure to check the checkbox at the bottom 
+'This issue is confidential and should only be visible to team members with at least 
+Reporter access'. Please use the 'Issue' type of ticket and the associated template.
+Fill in the title, answer the questions in the 'Description' field.
+Then click 'Create issue'.
 
 Your report should contain a description of the issue, the steps you took to
 reproduce the issue (including the image name), affected versions, and, if
 known, any mitigations for the issue.
 
-If desired, you can also use GPG-encrypted email using our public key
-|security_public_key|.
+We plan to add a security-related mailing list and a possibility to send
+GPG-encrypted email in the near future.
 
 We aim to acknowledge the reception within one working day, and responding with
 a first assessment within three working days. We follow a 90 days disclosure
-- 
GitLab