X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=doc%2Fguides%2Fcontributing%2Fvulnerability.rst;h=b6300252ad29415f6f2bdca8d269a425fff21ea0;hb=2e3dbc80cc012f11799c7eda866e1168dadb5032;hp=5484119d19aac3ac51f4566cece74ba8626cf1b6;hpb=a46987cf94997a4946dda186c811c6aa0ff894ab;p=dpdk.git diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index 5484119d19..b6300252ad 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -8,7 +8,7 @@ Scope ----- Only the main repositories (dpdk and dpdk-stable) of the core project -are in the scope of this security process. +are in the scope of this security process (including experimental APIs). If a stable branch is declared unmaintained (end of life), no fix will be applied. @@ -36,11 +36,11 @@ Report Do not use Bugzilla (unsecured). Instead, send GPG-encrypted emails -to `security@dpdk.org `_. +to `security@dpdk.org `_. Anyone can post to this list. In order to reduce the disclosure of a vulnerability in the early stages, membership of this list is intentionally limited to a `small number of people -`_. +`_. It is additionally encouraged to GPG-sign one-on-one conversations as part of the security process. @@ -182,13 +182,13 @@ When the fix is ready, the security advisory and patches are sent to downstream stakeholders (`security-prerelease@dpdk.org `_), specifying the date and time of the end of the embargo. -The public disclosure should happen in **less than one week**. +The communicated public disclosure date should be **less than one week** Downstream stakeholders are expected not to deploy or disclose patches until the embargo is passed, otherwise they will be removed from the list. Downstream stakeholders (in `security-prerelease list -`_), are: +`_), are: * Operating system vendors known to package DPDK * Major DPDK users, considered trustworthy by the technical board, who