From 90d2403560cb212179a678588fc2ff1c49c083d5 Mon Sep 17 00:00:00 2001 From: Andy Shaw Date: Fri, 5 Jun 2020 15:15:37 +0200 Subject: QUIP-15: Update to account for commercial licensees Commercial licensees can report security issues via the support portal so that the fact that they are using Qt can be kept known only to those inside The Qt Company. Additionally, this refers to the fact that commercial only code that has a security issue can be reported in the same manner. Change-Id: I6b4da1026a56a674effd8fa4f86078a577302dcd Reviewed-by: Alex Blasche Reviewed-by: Lars Knoll --- quip-0015-Security-Policy.rst | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/quip-0015-Security-Policy.rst b/quip-0015-Security-Policy.rst index 803325d..177c97c 100644 --- a/quip-0015-Security-Policy.rst +++ b/quip-0015-Security-Policy.rst @@ -6,7 +6,7 @@ Type: Process Content-Type: text/x-rst Created: 2019-05-21 Post-History: https://lists.qt-project.org/pipermail/development/2019-May/036030.html - + https://lists.qt-project.org/pipermail/development/2020-June/039672.html Qt Project Security Policy ========================== @@ -56,7 +56,9 @@ Reporting Security Issues ------------------------- Security issues should not be reported via the normal bugreports.qt.io tracker, -but should instead be sent to security@qt-project.org +but should instead be sent to security@qt-project.org. For commercial licensees, +the issue can be reported to the Qt Company Support team via the support +portal, using the "Security Issues" category. * The Core Security Team monitors and moderates incoming emails on business days (i.e. not including weekends), and approves all posts that are not spam. @@ -68,6 +70,9 @@ but should instead be sent to security@qt-project.org then the reporter should contact the Chief Maintainer directly. * The Core Security Team controls membership of the security@qt-project.org; generally, all `Maintainers`_ are subscribed to this list. +* For security issues reported to the Qt Company Support team, they will be + reported to security@qt-project.org and the reporter will be sent an + acknowledgment that this has been done. .. _`Maintainers`: https://quips-qt-io.herokuapp.com/quip-0002.html#maintainers @@ -94,6 +99,8 @@ Handling of Reported Security Issues relevant contributors and third parties. * If the reported vulnerability is in third-party code, then the Core Security Team coordinates with Maintainers and the respective third party. +* If the reported vulnerability is in commercially licensed only code, then the + Qt Company will handle it accordingly. * Reported issues that are assessed to not have an impact on security can be handled as regular bug reports, and may be filed by a suitable party in the normal bugreports.qt.io tracker. @@ -105,7 +112,7 @@ How will Issues be Disclosed? are listed in the `Common Vulnerabilities and Exposures database`_, and if needed files them after the risk assessment. * Security issues will be disclosed by an email to the announce@qt-project.org - mailing list once the CVE entry is published. + mailing list and to all commercial licencees once the CVE entry is published. * All members of the Core Security Team must have posting rights for the announce@qt-project.org list for this purpose. * All security announcements will be made on behalf of the Qt Project, though -- cgit v1.2.3