From b03228eb668052b59da85fec98d39a8c2052d554 Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <marta.rybczynska@linaro.org>
Date: Thu, 3 Nov 2022 10:29:08 +0100
Subject: [PATCH] cve_policy: update the policy

Update the policy with details related to Eclipse processes,
the setup of the Gitlab bugtracker.

Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>
---
 security/cve_policy.rst | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/security/cve_policy.rst b/security/cve_policy.rst
index f54bd74..49a3dff 100644
--- a/security/cve_policy.rst
+++ b/security/cve_policy.rst
@@ -4,8 +4,8 @@
 
 .. include:: ../definitions.rst
 
-Vulnerability Handling Process (draft)
-######################################
+Vulnerability Handling Process
+##############################
 
 |main_project_name| aims to build a secure system from the foundation, applying
 the best industry practices in terms of development quality. However, as in
@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information
 related to security issues, following the industry best practices. However, all
 information about vulnerabilities is becoming publicly available at the end.
 
+This process extends `the Eclipse security process <https://www.eclipse.org/security/policy.php>`.
+
 How to Report a Vulnerability?
 ******************************
 
@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_.
 To do so, login into our issue tracker or create a new account if you do not have one
 yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom 
 'This issue is confidential and should only be visible to team members with at least 
-Reporter access'. Please use the 'Issue' type of ticket and the associated template.
-Fill in the title, answer the questions in the 'Description' field.
+Reporter access'. Please use the 'Issue' type of ticket, on top of the Description field choose
+'default' template. Fill in the title, answer the questions in the 'Description' field.
 Then click 'Create issue'.
 
 Your report should contain a description of the issue, the steps you took to
@@ -209,6 +211,12 @@ We follow the rules of the upstream projects, if applicable.
 
 This step is an equivalent of the Fix step of the Bug process.
 
+Gitlab currently does not allow adding outside assignees to a confidential issue.
+It means that, when a team needs to add a domain expert, they need to create a
+new confidential issue and add ALL people who should be working on the ticket
+as assignees. This is currently the only workaround assuring no confidential data
+disclosure.
+
 Notify
 ^^^^^^
 
-- 
GitLab