doc: prefer https when pointing to dpdk.org

[dpdk.git] / doc / guides / contributing / vulnerability.rst

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index a4bef48..da00acd 100644 (file)
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -36,11 +36,11 @@ Report
 
 Do not use Bugzilla (unsecured).
 Instead, send GPG-encrypted emails
-to `security@dpdk.org <http://core.dpdk.org/security#contact>`_.
+to `security@dpdk.org <https://core.dpdk.org/security#contact>`_.
 Anyone can post to this list.
 In order to reduce the disclosure of a vulnerability in the early stages,
 membership of this list is intentionally limited to a `small number of people
-<http://mails.dpdk.org/roster/security>`_.
+<https://mails.dpdk.org/roster/security>`_.
 
 It is additionally encouraged to GPG-sign one-on-one conversations
 as part of the security process.
@@ -188,12 +188,20 @@ Downstream stakeholders are expected not to deploy or disclose patches
 until the embargo is passed, otherwise they will be removed from the list.
 
 Downstream stakeholders (in `security-prerelease list
-<http://mails.dpdk.org/roster/security-prerelease>`_), are:
+<https://mails.dpdk.org/roster/security-prerelease>`_), are:
 
 * Operating system vendors known to package DPDK
 * Major DPDK users, considered trustworthy by the technical board, who
   have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
 
+The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
+also be contacted one week before the end of the embargo, as indicated by `the
+OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
+and using the PGP key listed on the same page, describing the details of the
+vulnerability and sharing the patch[es]. Distributions and major vendors follow
+this private mailing list, and it functions as a single point of contact for
+embargoed advance notices for open source projects.
+
 The security advisory will be based on below template,
 and will be sent signed with a security team's member GPG key.
 
@@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
 do not have to deal with security updates over the weekend.
 
 The security advisory is posted
-to `announce@dpdk.org <mailto:announce@dpdk.org>`_
-as soon as the patches are pushed to the appropriate branches.
+to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
+mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
+are pushed to the appropriate branches.
 
 Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
 and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.