cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r1489205 - /cloudstack/site/trunk/content/security.mdtext
Date Mon, 03 Jun 2013 22:16:45 GMT
Author: jlk
Date: Mon Jun  3 22:16:45 2013
New Revision: 1489205

URL: http://svn.apache.org/r1489205
Log:
Correcting markdown bullet list, tweaked intro text

Modified:
    cloudstack/site/trunk/content/security.mdtext

Modified: cloudstack/site/trunk/content/security.mdtext
URL: http://svn.apache.org/viewvc/cloudstack/site/trunk/content/security.mdtext?rev=1489205&r1=1489204&r2=1489205&view=diff
==============================================================================
--- cloudstack/site/trunk/content/security.mdtext (original)
+++ cloudstack/site/trunk/content/security.mdtext Mon Jun  3 22:16:45 2013
@@ -2,7 +2,7 @@ Title: Apache CloudStack: Security
 
 ## Apache CloudStack Security
 
-The Apache CloudStack project understands that as a core infrastructure project, the application
security of Apache CloudStack is of critical importance.
+The Apache CloudStack project understands that as a core infrastructure project, the application
security of Apache CloudStack is of critical importance to the community and users.
 
 ### Apache CloudStack Security Team
 
@@ -22,28 +22,34 @@ The security team asks that you **please
 
 ### Procedure for Responding to Potential Security Issues
 
-* Upon receiving notice of a potential security issue, a security team member will create
a bug to track the investigation, this bug must be flagged as a security issue. Security flag
should mean contents of ticket are not visible to non-security team members
-* Security team investigates the issue to confirm/deny the presence of a vulnerability within
CloudStack
-* If the issue is determined not to be a vulnerability the reporter will be notified and
the issue will be closed as invalid.
-* If issue is confirmed as a CloudStack vulnerability:
-** Security team notifies the Apache Security team
-** Security team assigns a risk rating to the vulnerability using the Common Vulnerability
Scoring System
-** Security team works with reporter to get a chance to investigate and mitigate the issue
in a timely manner before public announcement. This should be between 15-30 days, depending
on the severity and complexity of the issue
-** Security team works with Apache Security Team to reserve a CVE Identifier for future public
release
-** Security team works with appropriate code maintainer(s) to create patch to mitigate the
issue
-** Testing is conducted to verify patch mitigates issue and does not cause regression errors
-** Security team creates a vulnerability announcement
-** Patch is committed to trunk and other supported branches that are affected.  The commit
should not refer to a particular vulnerability.
-** A new CloudStack release or hotfix is prepared and tested, containing the new security
patch.
-** Distributor coordination is implemented to enable a coordinated announcement.
-** Security team posts vulnerability announcement to...
-*** CloudStack dev list
-*** CloudStack users list
-*** CloudStack Security alerts web page
-*** The Bugtraq mailing list
-** After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability
and fix. This must happen AFTER the announcement.
-** Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
-* After the vulnerability is addressed, the CloudStack community should review development
processes to see how the community can minimize the chance of similar vulnerabilities being
introduced in the future.
+<ul>
+  <li> Upon receiving notice of a potential security issue, a security team member
will create a bug to track the investigation, this bug must be flagged as a security issue.
Security flag should mean contents of ticket are not visible to non-security team members
+  <li> Security team investigates the issue to confirm/deny the presence of a vulnerability
within CloudStack
+  <li> If the issue is determined not to be a vulnerability the reporter will be notified
and the issue will be closed as invalid.
+  <li> If issue is confirmed as a CloudStack vulnerability:
+  <ul>
+    <li> Security team notifies the Apache Security team
+    <li> Security team assigns a risk rating to the vulnerability using the Common
Vulnerability Scoring System
+    <li> Security team works with reporter to get a chance to investigate and mitigate
the issue in a timely manner before public announcement. This should be between 15-30 days,
depending on the severity and complexity of the issue
+    <li> Security team works with Apache Security Team to reserve a CVE Identifier
for future public release
+    <li> Security team works with appropriate code maintainer(s) to create patch to
mitigate the issue
+    <li> Testing is conducted to verify patch mitigates issue and does not cause regression
errors
+    <li> Security team creates a vulnerability announcement
+    <li> Patch is committed to trunk and other supported branches that are affected.
 The commit should not refer to a particular vulnerability.
+    <li> A new CloudStack release or hotfix is prepared and tested, containing the
new security patch.
+    <li> Distributor coordination is implemented to enable a coordinated announcement.
+    <li> Security team posts vulnerability announcement to...
+    <ul>
+      <li> CloudStack dev list
+      <li> CloudStack users list
+      <li> CloudStack Security alerts web page
+      <li> The Bugtraq mailing list
+    </ul>
+    <li> After announcement, CHANGES and NEWS files need to be updated to reflect the
vulnerability and fix. This must happen AFTER the announcement.
+    <li> Also after announcement, modify the Jira ticket so that the issue is now publicly
viewable.
+  </ul>
+  <li> After the vulnerability is addressed, the CloudStack community should review
development processes to see how the community can minimize the chance of similar vulnerabilities
being introduced in the future.
+</ul>
 
 ### For further information
 



Mime
View raw message