QUIP-15: Update to account for commercial licensees

Commercial licensees can report security issues via the support
portal so that the fact that they are using Qt can be kept
known only to those inside The Qt Company. Additionally,
this refers to the fact that commercial only code that has a
security issue can be reported in the same manner.

Change-Id: I6b4da1026a56a674effd8fa4f86078a577302dcd
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

1 files changed, 10 insertions, 3 deletions

diff --git a/quip-0015-Security-Policy.rst b/quip-0015-Security-Policy.rst
index 803325d..177c97c 100644
--- a/quip-0015-Security-Policy.rst
+++ b/quip-0015-Security-Policy.rst
@@ -6,7 +6,7 @@ Type: Process
 Content-Type: text/x-rst
 Created: 2019-05-21
 Post-History: https://lists.qt-project.org/pipermail/development/2019-May/036030.html
-
+              https://lists.qt-project.org/pipermail/development/2020-June/039672.html
 Qt Project Security Policy
 ==========================
 
@@ -56,7 +56,9 @@ Reporting Security Issues
 -------------------------
 
 Security issues should not be reported via the normal bugreports.qt.io tracker,
-but should instead be sent to security@qt-project.org
+but should instead be sent to security@qt-project.org. For commercial licensees,
+the issue can be reported to the Qt Company Support team via the support
+portal, using the "Security Issues" category.
 
 * The Core Security Team monitors and moderates incoming emails on business
   days (i.e. not including weekends), and approves all posts that are not spam.
@@ -68,6 +70,9 @@ but should instead be sent to security@qt-project.org
   then the reporter should contact the Chief Maintainer directly.
 * The Core Security Team controls membership of the security@qt-project.org;
   generally, all `Maintainers`_ are subscribed to this list.
+* For security issues reported to the Qt Company Support team, they will be
+  reported to security@qt-project.org and the reporter will be sent an
+  acknowledgment that this has been done.
 
 .. _`Maintainers`: https://quips-qt-io.herokuapp.com/quip-0002.html#maintainers
 
@@ -94,6 +99,8 @@ Handling of Reported Security Issues
   relevant contributors and third parties.
 * If the reported vulnerability is in third-party code, then the Core Security
   Team coordinates with Maintainers and the respective third party.
+* If the reported vulnerability is in commercially licensed only code, then the
+  Qt Company will handle it accordingly.
 * Reported issues that are assessed to not have an impact on security can be
   handled as regular bug reports, and may be filed by a suitable party in the
   normal bugreports.qt.io tracker.
@@ -105,7 +112,7 @@ How will Issues be Disclosed?
   are listed in the `Common Vulnerabilities and Exposures database`_, and
   if needed files them after the risk assessment.
 * Security issues will be disclosed by an email to the announce@qt-project.org
-  mailing list once the CVE entry is published.
+  mailing list and to all commercial licencees once the CVE entry is published.
 * All members of the Core Security Team must have posting rights for the
   announce@qt-project.org list for this purpose.
 * All security announcements will be made on behalf of the Qt Project, though