Message ID | 20201203142902.474883-2-ppandit@redhat.com |
---|---|
State | New |
Headers | show |
Series | security-process: update with mailing list details | expand |
On Thu, Dec 03, 2020 at 07:59:02PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > contribute/security-process.md | 154 ++++++++++++++++++++------------- > 1 file changed, 95 insertions(+), 59 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel
On Thursday, 2020-12-03 at 19:59:02 +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Thanks, Darren
On Thu, Dec 03, 2020 at 07:59:02PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > contribute/security-process.md | 154 ++++++++++++++++++++------------- > 1 file changed, 95 insertions(+), 59 deletions(-) Reviewed-by: Petr Matousek <pmatouse@redhat.com> Thanks!
Quoting P J P (2020-12-03 08:29:02) > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > contribute/security-process.md | 154 ++++++++++++++++++++------------- > 1 file changed, 95 insertions(+), 59 deletions(-) > > Update v2: incorporate inputs from upstream reviews > -> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Farchive%2Fhtml%2Fqemu-devel%2F2020-12%2Fmsg00568.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mmvwGiZ9dbuPML6gxiHW0HPbACQ5KkFoTnX%2F0zoZ0Dg%3D&reserved=0 > -> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Farchive%2Fhtml%2Fqemu-devel%2F2020-12%2Fmsg00584.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YCDVNuoF1TsPgvHmBMnCKFVMq6jSdDLSpYRa%2BDNr9z8%3D&reserved=0 > > diff --git a/contribute/security-process.md b/contribute/security-process.md > index 1239967..13b6b97 100644 > --- a/contribute/security-process.md > +++ b/contribute/security-process.md > @@ -3,72 +3,110 @@ title: Security Process > permalink: /contribute/security-process/ > --- > > -QEMU takes security very seriously, and we aim to take immediate action to > -address serious security-related problems that involve our product. > - > -Please report any suspected security vulnerability in QEMU to the following > -addresses. You can use GPG keys for respective receipients to communicate with > -us securely. If you do, please upload your GPG public key or supply it to us > -in some other way, so that we can communicate to you in a secure way, too! > -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us > -identify your message as security-related. > - > -## QEMU Security Contact List > - > -Please copy everyone on this list: > - > - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint > -:-----------------------|:------------------------------|:--------------|:---------:|:-------------------- > - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0xC3503912AFBE8E67&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ach%2FMe1VOaT98jtMyPJC4I0uAo4uROCecrjiS8MmpkU%3D&reserved=0) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 > - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x3E786F42C44977CA&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9ZvtaQbfvaZl7JPIXIRPXuV4SNc%2FYrsa6nYmP7gqAFM%3D&reserved=0) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA > - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x894F8F4870E1AE90&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879460819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Crn3Vjvg4yhGV08muovU2xoxDhU62UQHGoXRyEAlowY%3D&reserved=0) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 > - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsite%2Fsecurity%2Fteam%2Fcontact%2F%23contact&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F9S%2B48R1svm2onjH%2B0s94eIOsDjn12oOEmhX2a4TLMQ%3D&reserved=0) | > - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpgp.mit.edu%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0x3353C9CEF108B584&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=heJAgFDdBUdhmSDAZUV6WaR6MaQXzcXfCCWNC2LN5Wg%3D&reserved=0) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 > - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpool.sks-keyservers.net%2Fpks%2Flookup%3Fop%3Dvindex%26search%3D0xE2858B5AF050DE8D&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y0loOnpwtCDOJYeL%2B7VkLHFTuRh9dVeHRTp5xPN5EwU%3D&reserved=0) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D > - > -## How to Contact Us Securely > - > -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail > -sent to members of the list can be encrypted with public keys of all members > -of the list. We expect to change some of the keys we use from time to time. > -Should a key change, the previous one will be revoked. > - > -## How we respond > - > -Maintainers listed on the security reporting list operate a policy of > -responsible disclosure. As such they agree that any information you share with > -them about security issues that are not public knowledge is kept confidential > -within respective affiliated companies. It is not passed on to any third-party, > -including Xen Security Project, without your permission. > - > -Email sent to us is read and acknowledged with a non-automated response. For > -issues that are complicated and require significant attention, we will open an > -investigation and keep you informed of our progress. We might take one or more > -of the following steps: > +Please report any suspected security issue in QEMU to the security mailing > +list at: > + > +* [\<qemu-security@nongnu.org\>](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nongnu.org%2Fmailman%2Flistinfo%2Fqemu-security&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Dgnc%2FyzLIGzHUA6qfMewzRxMTypxM4mUWFKQptKogx4%3D&reserved=0) > + > +To report an issue via [GPG](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnupg.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=y%2BNR12H9ETsYX0dky9JfrAGdyKx1Sp%2FCPvAO8g%2BRYH0%3D&reserved=0) encrypted email, please send > +it to the Red Hat Product Security team at: > + > +* [\<secalert@redhat.com\>](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fteam%2Fcontact%2F%23contact&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=HWZxebDeAX1vEx0Qyg066Seml3ODlr%2FxxKoAWYvFQhc%3D&reserved=0) > + > +**Note:** after the triage, encrypted issue details shall be sent to the upstream > +'qemu-security' mailing list for archival purposes. > + > +## How to report an issue: > + > +* Please include as many details as possible in the issue report. > + Ex: > + - QEMU version, upstream commit/tag > + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc. > + - Affected code area/snippets > + - Stack traces, crash details > + - Malicious inputs/reproducer steps etc. > + - Any configurations/settings required to trigger the issue. > + > +* Please share the QEMU command line used to invoke a guest VM. > + > +* Please specify whom to acknowledge for reporting this issue. > + > +## How we respond: > + > +* Process of handling security issues comprises following steps: > + > + 0) **Acknowledge:** > + - A non-automated response email is sent to the reporter(s) to acknowledge > + the reception of the report. (*60 day's counter starts here*) > + > + 1) **Triage:** > + - Examine the issue details and confirm whether the issue is genuine > + - Validate if it can be misused for malicious purposes > + - Determine its worst case impact and severity > + [Low/Moderate/Important/Critical] > + > + 2) **Response:** > + - Negotiate embargo timeline (if required, depending on severity) > + - Request a [CVE](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcveform.mitre.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tX%2FfJOD5YLlBiub1eq0Wzo1eXaMI30U2x76JnSRTM0k%3D&reserved=0) and open an upstream > + [bug](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fcontribute%2Freport-a-bug%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sNNjhfl3KhOEnmEnIX4st9%2FJtxVWQVHAnN4xCpRTrgs%3D&reserved=0) > + - Create an upstream fix patch annotated with > + - CVE-ID > + - Link to an upstream bugzilla > + - Reported-by, Tested-by etc. tags > + - Once the patch is merged, close the upstream bug with a link to the > + commit > + - Fixed in: <commit hash/link> > + > +* Above security lists are operated by select analysts, maintainers and/or > + representatives from downstream communities. > + > +* List members follow a **responsible disclosure** policy. Any non-public > + information you share about security issues, is kept confidential within > + members of the QEMU security team and a minimal supporting staff in their > + affiliated companies. Such information will not be disclosed to third party > + organisations/individuals without prior permission from the reporter(s). > + > +* We aim to process security issues within maximum of **60 days**. That is not > + to say that issues will remain private for 60 days, nope. After the triaging > + step above > + - If severity of the issue is sufficiently low, an upstream public bug > + will be created immediately. > + - If severity of the issue requires co-ordinated disclosure at a future > + date, then the embargo process below is followed, and upstream bug will > + be opened at the end of the embargo period. > + > + This will allow upstream contributors to create, test and track fix patch(es). > > ### Publication embargo > > -If a security issue is reported that is not already publicly disclosed, an > -embargo date may be assigned and communicated to the reporter. Embargo > -periods will be negotiated by mutual agreement between members of the security > -team and other relevant parties to the problem. Members of the security contact > -list agree not to publicly disclose any details of the security issue until > -the embargo date expires. > +* If a security issue is reported that is not already public and its severity > + requires coordinated disclosure, then an embargo date will be set and > + communicated to the reporter(s). > + > +* Embargo periods will be negotiated by mutual agreement between reporter(s), > + members of the security list and other relevant parties to the problem. > + The preferred embargo period is upto [2 > + weeks](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foss-security.openwall.org%2Fwiki%2Fmailing-lists%2Fdistros&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cfAc%2B9w%2BDt6KsGgZtaOG%2BLfaVbZ637L2fYLINX1Qhng%3D&reserved=0). > + However, longer embargoes may be negotiated if the severity of the issue > + requires it. > + > +* Members of the security list agree not to publicly disclose any details of > + an embargoed security issue until its embargo date expires. > > ### CVE allocation > > -An security issue is assigned with a CVE number. The CVE numbers will usually > -be allocated by one of the vendor security engineers on the security contact > -list. > +Each security issue is assigned a [CVE](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcveform.mitre.org%2F&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tX%2FfJOD5YLlBiub1eq0Wzo1eXaMI30U2x76JnSRTM0k%3D&reserved=0) number. > +The CVE number is allocated by one of the vendor security engineers on the > +security list. > > -## When to contact the QEMU Security Contact List > +## When to contact the QEMU Security List > > -You should contact the Security Contact List if: > +You should contact the Security List if: > * You think there may be a security vulnerability in QEMU. > * You are unsure about how a known vulnerability affects QEMU. > * You can contact us in English. We are unable to respond in other languages. > > -## When *not* to contact the QEMU Security Contact List > +## When *not* to contact the QEMU Security List > * You need assistance in a language other than English. > * You require technical assistance (for example, "how do I configure QEMU?"). > * You need help upgrading QEMU due to security alerts. > @@ -76,6 +114,9 @@ You should contact the Security Contact List if: > > ## How impact and severity of a bug is decided > > +**Security criterion:** > + -> [https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fdocs%2Fmaster%2Fsystem%2Fsecurity.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879470809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YxhVZOXdQSSenKq%2BrLAp%2FRbbXAQUV1fpPw13Xj6TP18%3D&reserved=0](https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qemu.org%2Fdocs%2Fmaster%2Fsystem%2Fsecurity.html&data=04%7C01%7Cmichael.roth%40amd.com%7C513aba522bf0449271f908d897981c81%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637426026879480803%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QxrnZB67HVdg9B97FBcCNjP1Y%2F%2BSao4gn0X8ZVhh%2B2c%3D&reserved=0) > + > All security issues in QEMU are not equal. Based on the parts of the QEMU > sources wherein the bug is found, its impact and severity could vary. > > @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it > is generally assumed that the guest is trusted. > > And thus, this buffer overflow turned out to be a security non-issue. > - > -## What to Send to the QEMU Security Contact List > - > -Please provide as much information about your system and the issue as possible > -when contacting the list. > -- > 2.28.0 > Reviewed-by: Michael Roth <michael.roth@amd.com>
On Thu, 3 Dec 2020, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Acked-by: Stefano Stabellini <sstabellini@kernel.org> > --- > contribute/security-process.md | 154 ++++++++++++++++++++------------- > 1 file changed, 95 insertions(+), 59 deletions(-) > > Update v2: incorporate inputs from upstream reviews > -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00568.html > -> https://lists.nongnu.org/archive/html/qemu-devel/2020-12/msg00584.html > > diff --git a/contribute/security-process.md b/contribute/security-process.md > index 1239967..13b6b97 100644 > --- a/contribute/security-process.md > +++ b/contribute/security-process.md > @@ -3,72 +3,110 @@ title: Security Process > permalink: /contribute/security-process/ > --- > > -QEMU takes security very seriously, and we aim to take immediate action to > -address serious security-related problems that involve our product. > - > -Please report any suspected security vulnerability in QEMU to the following > -addresses. You can use GPG keys for respective receipients to communicate with > -us securely. If you do, please upload your GPG public key or supply it to us > -in some other way, so that we can communicate to you in a secure way, too! > -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us > -identify your message as security-related. > - > -## QEMU Security Contact List > - > -Please copy everyone on this list: > - > - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint > -:-----------------------|:------------------------------|:--------------|:---------:|:-------------------- > - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 > - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA > - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 > - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://access.redhat.com/site/security/team/contact/#contact) | > - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 > - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D > - > -## How to Contact Us Securely > - > -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail > -sent to members of the list can be encrypted with public keys of all members > -of the list. We expect to change some of the keys we use from time to time. > -Should a key change, the previous one will be revoked. > - > -## How we respond > - > -Maintainers listed on the security reporting list operate a policy of > -responsible disclosure. As such they agree that any information you share with > -them about security issues that are not public knowledge is kept confidential > -within respective affiliated companies. It is not passed on to any third-party, > -including Xen Security Project, without your permission. > - > -Email sent to us is read and acknowledged with a non-automated response. For > -issues that are complicated and require significant attention, we will open an > -investigation and keep you informed of our progress. We might take one or more > -of the following steps: > +Please report any suspected security issue in QEMU to the security mailing > +list at: > + > +* [\<qemu-security@nongnu.org\>](https://lists.nongnu.org/mailman/listinfo/qemu-security) > + > +To report an issue via [GPG](https://gnupg.org/) encrypted email, please send > +it to the Red Hat Product Security team at: > + > +* [\<secalert@redhat.com\>](https://access.redhat.com/security/team/contact/#contact) > + > +**Note:** after the triage, encrypted issue details shall be sent to the upstream > +'qemu-security' mailing list for archival purposes. > + > +## How to report an issue: > + > +* Please include as many details as possible in the issue report. > + Ex: > + - QEMU version, upstream commit/tag > + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc. > + - Affected code area/snippets > + - Stack traces, crash details > + - Malicious inputs/reproducer steps etc. > + - Any configurations/settings required to trigger the issue. > + > +* Please share the QEMU command line used to invoke a guest VM. > + > +* Please specify whom to acknowledge for reporting this issue. > + > +## How we respond: > + > +* Process of handling security issues comprises following steps: > + > + 0) **Acknowledge:** > + - A non-automated response email is sent to the reporter(s) to acknowledge > + the reception of the report. (*60 day's counter starts here*) > + > + 1) **Triage:** > + - Examine the issue details and confirm whether the issue is genuine > + - Validate if it can be misused for malicious purposes > + - Determine its worst case impact and severity > + [Low/Moderate/Important/Critical] > + > + 2) **Response:** > + - Negotiate embargo timeline (if required, depending on severity) > + - Request a [CVE](https://cveform.mitre.org/) and open an upstream > + [bug](https://www.qemu.org/contribute/report-a-bug/) > + - Create an upstream fix patch annotated with > + - CVE-ID > + - Link to an upstream bugzilla > + - Reported-by, Tested-by etc. tags > + - Once the patch is merged, close the upstream bug with a link to the > + commit > + - Fixed in: <commit hash/link> > + > +* Above security lists are operated by select analysts, maintainers and/or > + representatives from downstream communities. > + > +* List members follow a **responsible disclosure** policy. Any non-public > + information you share about security issues, is kept confidential within > + members of the QEMU security team and a minimal supporting staff in their > + affiliated companies. Such information will not be disclosed to third party > + organisations/individuals without prior permission from the reporter(s). > + > +* We aim to process security issues within maximum of **60 days**. That is not > + to say that issues will remain private for 60 days, nope. After the triaging > + step above > + - If severity of the issue is sufficiently low, an upstream public bug > + will be created immediately. > + - If severity of the issue requires co-ordinated disclosure at a future > + date, then the embargo process below is followed, and upstream bug will > + be opened at the end of the embargo period. > + > + This will allow upstream contributors to create, test and track fix patch(es). > > ### Publication embargo > > -If a security issue is reported that is not already publicly disclosed, an > -embargo date may be assigned and communicated to the reporter. Embargo > -periods will be negotiated by mutual agreement between members of the security > -team and other relevant parties to the problem. Members of the security contact > -list agree not to publicly disclose any details of the security issue until > -the embargo date expires. > +* If a security issue is reported that is not already public and its severity > + requires coordinated disclosure, then an embargo date will be set and > + communicated to the reporter(s). > + > +* Embargo periods will be negotiated by mutual agreement between reporter(s), > + members of the security list and other relevant parties to the problem. > + The preferred embargo period is upto [2 > + weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros). > + However, longer embargoes may be negotiated if the severity of the issue > + requires it. > + > +* Members of the security list agree not to publicly disclose any details of > + an embargoed security issue until its embargo date expires. > > ### CVE allocation > > -An security issue is assigned with a CVE number. The CVE numbers will usually > -be allocated by one of the vendor security engineers on the security contact > -list. > +Each security issue is assigned a [CVE](https://cveform.mitre.org/) number. > +The CVE number is allocated by one of the vendor security engineers on the > +security list. > > -## When to contact the QEMU Security Contact List > +## When to contact the QEMU Security List > > -You should contact the Security Contact List if: > +You should contact the Security List if: > * You think there may be a security vulnerability in QEMU. > * You are unsure about how a known vulnerability affects QEMU. > * You can contact us in English. We are unable to respond in other languages. > > -## When *not* to contact the QEMU Security Contact List > +## When *not* to contact the QEMU Security List > * You need assistance in a language other than English. > * You require technical assistance (for example, "how do I configure QEMU?"). > * You need help upgrading QEMU due to security alerts. > @@ -76,6 +114,9 @@ You should contact the Security Contact List if: > > ## How impact and severity of a bug is decided > > +**Security criterion:** > + -> [https://www.qemu.org/docs/master/system/security.html](https://www.qemu.org/docs/master/system/security.html) > + > All security issues in QEMU are not equal. Based on the parts of the QEMU > sources wherein the bug is found, its impact and severity could vary. > > @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it > is generally assumed that the guest is trusted. > > And thus, this buffer overflow turned out to be a security non-issue. > - > -## What to Send to the QEMU Security Contact List > - > -Please provide as much information about your system and the issue as possible > -when contacting the list. > -- > 2.28.0 >
On Thu, Dec 03, 2020 at 06:29:02AM -0800, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Thank you!
Hi Prasad, On 12/3/20 3:29 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > We are about to introduce a qemu-security mailing list to report > and triage QEMU security issues. > > Update the security process web page with new mailing list address > and triage details. > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > contribute/security-process.md | 154 ++++++++++++++++++++------------- > 1 file changed, 95 insertions(+), 59 deletions(-) What is the status of this, is something missing? Thanks, Phil.
+-- On Thu, 14 Jan 2021, Philippe Mathieu-Daudé wrote --+ | What is the status of this, is something missing? -> https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg04469.html It is up and running.^^ Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
On 1/14/21 4:31 PM, P J P wrote: > +-- On Thu, 14 Jan 2021, Philippe Mathieu-Daudé wrote --+ > | What is the status of this, is something missing? > > -> https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg04469.html > > It is up and running.^^ Ah, this is a qemu-web patch, sorry...
diff --git a/contribute/security-process.md b/contribute/security-process.md index 1239967..13b6b97 100644 --- a/contribute/security-process.md +++ b/contribute/security-process.md @@ -3,72 +3,110 @@ title: Security Process permalink: /contribute/security-process/ --- -QEMU takes security very seriously, and we aim to take immediate action to -address serious security-related problems that involve our product. - -Please report any suspected security vulnerability in QEMU to the following -addresses. You can use GPG keys for respective receipients to communicate with -us securely. If you do, please upload your GPG public key or supply it to us -in some other way, so that we can communicate to you in a secure way, too! -Please include the tag **\[QEMU-SECURITY\]** on the subject line to help us -identify your message as security-related. - -## QEMU Security Contact List - -Please copy everyone on this list: - - Contact Person(s) | Contact Address | Company | GPG Key | GPG key fingerprint -:-----------------------|:------------------------------|:--------------|:---------:|:-------------------- - Michael S. Tsirkin | mst@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xC3503912AFBE8E67) | 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67 - Petr Matousek | pmatouse@redhat.com | Red Hat Inc. | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3E786F42C44977CA) | 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA - Stefano Stabellini | sstabellini@kernel.org | Independent | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x894F8F4870E1AE90) | D04E 33AB A51F 67BA 07D3 0AEA 894F 8F48 70E1 AE90 - Security Response Team | secalert@redhat.com | Red Hat Inc. | [🔑](https://access.redhat.com/site/security/team/contact/#contact) | - Michael Roth | michael.roth@amd.com | AMD | [🔑](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3353C9CEF108B584) | CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584 - Prasad J Pandit | pjp@redhat.com | Red Hat Inc. | [🔑](http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0xE2858B5AF050DE8D) | 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D - -## How to Contact Us Securely - -We use GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail -sent to members of the list can be encrypted with public keys of all members -of the list. We expect to change some of the keys we use from time to time. -Should a key change, the previous one will be revoked. - -## How we respond - -Maintainers listed on the security reporting list operate a policy of -responsible disclosure. As such they agree that any information you share with -them about security issues that are not public knowledge is kept confidential -within respective affiliated companies. It is not passed on to any third-party, -including Xen Security Project, without your permission. - -Email sent to us is read and acknowledged with a non-automated response. For -issues that are complicated and require significant attention, we will open an -investigation and keep you informed of our progress. We might take one or more -of the following steps: +Please report any suspected security issue in QEMU to the security mailing +list at: + +* [\<qemu-security@nongnu.org\>](https://lists.nongnu.org/mailman/listinfo/qemu-security) + +To report an issue via [GPG](https://gnupg.org/) encrypted email, please send +it to the Red Hat Product Security team at: + +* [\<secalert@redhat.com\>](https://access.redhat.com/security/team/contact/#contact) + +**Note:** after the triage, encrypted issue details shall be sent to the upstream +'qemu-security' mailing list for archival purposes. + +## How to report an issue: + +* Please include as many details as possible in the issue report. + Ex: + - QEMU version, upstream commit/tag + - Host & Guest architecture x86/Arm/PPC, 32/64 bit etc. + - Affected code area/snippets + - Stack traces, crash details + - Malicious inputs/reproducer steps etc. + - Any configurations/settings required to trigger the issue. + +* Please share the QEMU command line used to invoke a guest VM. + +* Please specify whom to acknowledge for reporting this issue. + +## How we respond: + +* Process of handling security issues comprises following steps: + + 0) **Acknowledge:** + - A non-automated response email is sent to the reporter(s) to acknowledge + the reception of the report. (*60 day's counter starts here*) + + 1) **Triage:** + - Examine the issue details and confirm whether the issue is genuine + - Validate if it can be misused for malicious purposes + - Determine its worst case impact and severity + [Low/Moderate/Important/Critical] + + 2) **Response:** + - Negotiate embargo timeline (if required, depending on severity) + - Request a [CVE](https://cveform.mitre.org/) and open an upstream + [bug](https://www.qemu.org/contribute/report-a-bug/) + - Create an upstream fix patch annotated with + - CVE-ID + - Link to an upstream bugzilla + - Reported-by, Tested-by etc. tags + - Once the patch is merged, close the upstream bug with a link to the + commit + - Fixed in: <commit hash/link> + +* Above security lists are operated by select analysts, maintainers and/or + representatives from downstream communities. + +* List members follow a **responsible disclosure** policy. Any non-public + information you share about security issues, is kept confidential within + members of the QEMU security team and a minimal supporting staff in their + affiliated companies. Such information will not be disclosed to third party + organisations/individuals without prior permission from the reporter(s). + +* We aim to process security issues within maximum of **60 days**. That is not + to say that issues will remain private for 60 days, nope. After the triaging + step above + - If severity of the issue is sufficiently low, an upstream public bug + will be created immediately. + - If severity of the issue requires co-ordinated disclosure at a future + date, then the embargo process below is followed, and upstream bug will + be opened at the end of the embargo period. + + This will allow upstream contributors to create, test and track fix patch(es). ### Publication embargo -If a security issue is reported that is not already publicly disclosed, an -embargo date may be assigned and communicated to the reporter. Embargo -periods will be negotiated by mutual agreement between members of the security -team and other relevant parties to the problem. Members of the security contact -list agree not to publicly disclose any details of the security issue until -the embargo date expires. +* If a security issue is reported that is not already public and its severity + requires coordinated disclosure, then an embargo date will be set and + communicated to the reporter(s). + +* Embargo periods will be negotiated by mutual agreement between reporter(s), + members of the security list and other relevant parties to the problem. + The preferred embargo period is upto [2 + weeks](https://oss-security.openwall.org/wiki/mailing-lists/distros). + However, longer embargoes may be negotiated if the severity of the issue + requires it. + +* Members of the security list agree not to publicly disclose any details of + an embargoed security issue until its embargo date expires. ### CVE allocation -An security issue is assigned with a CVE number. The CVE numbers will usually -be allocated by one of the vendor security engineers on the security contact -list. +Each security issue is assigned a [CVE](https://cveform.mitre.org/) number. +The CVE number is allocated by one of the vendor security engineers on the +security list. -## When to contact the QEMU Security Contact List +## When to contact the QEMU Security List -You should contact the Security Contact List if: +You should contact the Security List if: * You think there may be a security vulnerability in QEMU. * You are unsure about how a known vulnerability affects QEMU. * You can contact us in English. We are unable to respond in other languages. -## When *not* to contact the QEMU Security Contact List +## When *not* to contact the QEMU Security List * You need assistance in a language other than English. * You require technical assistance (for example, "how do I configure QEMU?"). * You need help upgrading QEMU due to security alerts. @@ -76,6 +114,9 @@ You should contact the Security Contact List if: ## How impact and severity of a bug is decided +**Security criterion:** + -> [https://www.qemu.org/docs/master/system/security.html](https://www.qemu.org/docs/master/system/security.html) + All security issues in QEMU are not equal. Based on the parts of the QEMU sources wherein the bug is found, its impact and severity could vary. @@ -122,8 +163,3 @@ used to write programs for the SoC device. In such developer environments, it is generally assumed that the guest is trusted. And thus, this buffer overflow turned out to be a security non-issue. - -## What to Send to the QEMU Security Contact List - -Please provide as much information about your system and the issue as possible -when contacting the list.