cve_policy: update the policy

Update the policy with details related to Eclipse processes, the setup of the Gitlab bugtracker. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>

cve_policy: update the policy
Update the policy with details related to Eclipse processes, the setup of the Gitlab bugtracker. Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>
b03228eb · Marta Rybczynska · 9b682960 · b03228eb
Commit b03228eb authored 2 years ago by Marta Rybczynska
--- a/security/cve_policy.rst
+++ b/security/cve_policy.rst
@@ -4,8 +4,8 @@

 .. include:: ../definitions.rst

-Vulnerability Handling Process (draft)
-######################################
+Vulnerability Handling Process
+##############################

 |main_project_name| aims to build a secure system from the foundation, applying
 the best industry practices in terms of development quality. However, as in
@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information
 related to security issues, following the industry best practices. However, all
 information about vulnerabilities is becoming publicly available at the end.

+This process extends `the Eclipse security process <https://www.eclipse.org/security/policy.php>`.
+
 How to Report a Vulnerability?
 ******************************

@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_.
 To do so, login into our issue tracker or create a new account if you do not have one
 yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom 
 'This issue is confidential and should only be visible to team members with at least 
-Reporter access'. Please use the 'Issue' type of ticket and the associated template.
-Fill in the title, answer the questions in the 'Description' field.
+Reporter access'. Please use the 'Issue' type of ticket, on top of the Description field choose
+'default' template. Fill in the title, answer the questions in the 'Description' field.
 Then click 'Create issue'.

 Your report should contain a description of the issue, the steps you took to
@@ -209,6 +211,12 @@ We follow the rules of the upstream projects, if applicable.

 This step is an equivalent of the Fix step of the Bug process.

+Gitlab currently does not allow adding outside assignees to a confidential issue.
+It means that, when a team needs to add a domain expert, they need to create a
+new confidential issue and add ALL people who should be working on the ticket
+as assignees. This is currently the only workaround assuring no confidential data
+disclosure.
+
 Notify
 ^^^^^^