-----
Only the main repositories (dpdk and dpdk-stable) of the core project
-are in the scope of this security process.
+are in the scope of this security process (including experimental APIs).
If a stable branch is declared unmaintained (end of life),
no fix will be applied.
Do not use Bugzilla (unsecured).
Instead, send GPG-encrypted emails
-to `security@dpdk.org <http://core.dpdk.org/security#contact>`_.
+to `security@dpdk.org <https://core.dpdk.org/security#contact>`_.
Anyone can post to this list.
In order to reduce the disclosure of a vulnerability in the early stages,
membership of this list is intentionally limited to a `small number of people
-<http://mails.dpdk.org/roster/security>`_.
+<https://mails.dpdk.org/roster/security>`_.
It is additionally encouraged to GPG-sign one-on-one conversations
as part of the security process.
to downstream stakeholders
(`security-prerelease@dpdk.org <mailto:security-prerelease@dpdk.org>`_),
specifying the date and time of the end of the embargo.
-The public disclosure should happen in **less than one week**.
+The communicated public disclosure date should be **less than one week**
Downstream stakeholders are expected not to deploy or disclose patches
until the embargo is passed, otherwise they will be removed from the list.
Downstream stakeholders (in `security-prerelease list
-<http://mails.dpdk.org/roster/security-prerelease>`_), are:
+<https://mails.dpdk.org/roster/security-prerelease>`_), are:
* Operating system vendors known to package DPDK
* Major DPDK users, considered trustworthy by the technical board, who
have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
+The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
+also be contacted one week before the end of the embargo, as indicated by `the
+OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
+and using the PGP key listed on the same page, describing the details of the
+vulnerability and sharing the patch[es]. Distributions and major vendors follow
+this private mailing list, and it functions as a single point of contact for
+embargoed advance notices for open source projects.
+
The security advisory will be based on below template,
and will be sent signed with a security team's member GPG key.
do not have to deal with security updates over the weekend.
The security advisory is posted
-to `announce@dpdk.org <mailto:announce@dpdk.org>`_
-as soon as the patches are pushed to the appropriate branches.
+to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
+mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
+are pushed to the appropriate branches.
Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.