diff options
-rw-r--r-- | quip-0015-Security-Policy.rst | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/quip-0015-Security-Policy.rst b/quip-0015-Security-Policy.rst index 803325d..177c97c 100644 --- a/quip-0015-Security-Policy.rst +++ b/quip-0015-Security-Policy.rst @@ -6,7 +6,7 @@ Type: Process Content-Type: text/x-rst Created: 2019-05-21 Post-History: https://lists.qt-project.org/pipermail/development/2019-May/036030.html - + https://lists.qt-project.org/pipermail/development/2020-June/039672.html Qt Project Security Policy ========================== @@ -56,7 +56,9 @@ Reporting Security Issues ------------------------- Security issues should not be reported via the normal bugreports.qt.io tracker, -but should instead be sent to security@qt-project.org +but should instead be sent to security@qt-project.org. For commercial licensees, +the issue can be reported to the Qt Company Support team via the support +portal, using the "Security Issues" category. * The Core Security Team monitors and moderates incoming emails on business days (i.e. not including weekends), and approves all posts that are not spam. @@ -68,6 +70,9 @@ but should instead be sent to security@qt-project.org then the reporter should contact the Chief Maintainer directly. * The Core Security Team controls membership of the security@qt-project.org; generally, all `Maintainers`_ are subscribed to this list. +* For security issues reported to the Qt Company Support team, they will be + reported to security@qt-project.org and the reporter will be sent an + acknowledgment that this has been done. .. _`Maintainers`: https://quips-qt-io.herokuapp.com/quip-0002.html#maintainers @@ -94,6 +99,8 @@ Handling of Reported Security Issues relevant contributors and third parties. * If the reported vulnerability is in third-party code, then the Core Security Team coordinates with Maintainers and the respective third party. +* If the reported vulnerability is in commercially licensed only code, then the + Qt Company will handle it accordingly. * Reported issues that are assessed to not have an impact on security can be handled as regular bug reports, and may be filed by a suitable party in the normal bugreports.qt.io tracker. @@ -105,7 +112,7 @@ How will Issues be Disclosed? are listed in the `Common Vulnerabilities and Exposures database`_, and if needed files them after the risk assessment. * Security issues will be disclosed by an email to the announce@qt-project.org - mailing list once the CVE entry is published. + mailing list and to all commercial licencees once the CVE entry is published. * All members of the Core Security Team must have posting rights for the announce@qt-project.org list for this purpose. * All security announcements will be made on behalf of the Qt Project, though |