Loading...

XML

Word

Printable

Details

Type: User Story
Resolution: Done
Priority: P2: Important
Component/s: qt-project.org
Labels:
None

Commits:
9ae3fa87202ef657f907276465c90c195bf07a81

Description

Users of and contributors to the Qt project expect a professional security policy to be documented by the Qt Project.

Such a policy needs to document:

how the project expects to be notified about security issues
how the project will respond to such notifications
which routines the project has established to proactively discover and prevent vulnerabilities
how confirmed vulnerabilities and exposures will be published

As of now, the Security Policy lives on a wiki page at https://wiki.qt.io/Qt_Project_Security_Policy where some of these points are answered.

However, some of the existing processes are not following industry standards. For example, announcing confirmed vulnerabilities via announce@qt-project.org does not result in an entry in the "Common Vulnerabilities and Exposures" (CVE) database.

In addition, some established processes are not documented; for example, The Qt Company regularly executes fuzzing and auditing, including source code review and static code analysis.

Formally, the Qt project has established Qt's Utilitarian Improvement Process (QUIP, see http://quips-qt-io.herokuapp.com) to document such processes in a standardized and auditable way. This policy should be migrated into a QUIP.

Attachments

Sub-Tasks

1.	Establish disclosure process that includes a CVE entry	Open	Olli Puurunen
2.	Move the existing policy into a QUIP document	Closed	Volker Hilsheimer
3.	Identify and document established security processes	Closed	Volker Hilsheimer
4.	Core security team operations	Open	Mikko Halonen

Activity

People

Assignee:: Volker Hilsheimer

Reporter:: Volker Hilsheimer

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 21 May '19 07:12

Updated:: 06 May '20 05:40

Resolved:: 06 May '20 05:40