Skip to content
Snippets Groups Projects
Commit b03228eb authored by Marta Rybczynska's avatar Marta Rybczynska
Browse files

cve_policy: update the policy


Update the policy with details related to Eclipse processes,
the setup of the Gitlab bugtracker.

Signed-off-by: default avatarMarta Rybczynska <marta.rybczynska@linaro.org>
parent 9b682960
No related branches found
Tags v5.13.4
No related merge requests found
Pipeline #12009 passed
......@@ -4,8 +4,8 @@
.. include:: ../definitions.rst
Vulnerability Handling Process (draft)
######################################
Vulnerability Handling Process
##############################
|main_project_name| aims to build a secure system from the foundation, applying
the best industry practices in terms of development quality. However, as in
......@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information
related to security issues, following the industry best practices. However, all
information about vulnerabilities is becoming publicly available at the end.
This process extends `the Eclipse security process <https://www.eclipse.org/security/policy.php>`.
How to Report a Vulnerability?
******************************
......@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_.
To do so, login into our issue tracker or create a new account if you do not have one
yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom
'This issue is confidential and should only be visible to team members with at least
Reporter access'. Please use the 'Issue' type of ticket and the associated template.
Fill in the title, answer the questions in the 'Description' field.
Reporter access'. Please use the 'Issue' type of ticket, on top of the Description field choose
'default' template. Fill in the title, answer the questions in the 'Description' field.
Then click 'Create issue'.
Your report should contain a description of the issue, the steps you took to
......@@ -209,6 +211,12 @@ We follow the rules of the upstream projects, if applicable.
This step is an equivalent of the Fix step of the Bug process.
Gitlab currently does not allow adding outside assignees to a confidential issue.
It means that, when a team needs to add a domain expert, they need to create a
new confidential issue and add ALL people who should be working on the ticket
as assignees. This is currently the only workaround assuring no confidential data
disclosure.
Notify
^^^^^^
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment