Re: [Qemu-devel] [PATCH] MAINTAINERS: addresses for responsible disclosure

[Michael S. Tsirkin]

On Thu, Apr 17, 2014 at 09:10:12AM -0700, Anthony Liguori wrote:
> On Thu, Apr 17, 2014 at 6:54 AM, Michael S. Tsirkin <address@hidden> wrote:
> > People sometimes detect security issues in upstream
> > QEMU and don't know where to report them in a non-public way.
> > Of course whoever just wants full disclosure can just go public,
> > but there's nothing specified for non-public - until recently Anthony
> > was doing this informally.
> >
> > As I started doing this recently anyway, I can handle this on the QEMU side
> > in a more formal way.
> >
> > Adding a secalert mailing list as well - they are the ones who is actually
> > opening CVEs, communicating issues to all downstreams etc,
> > and they are already handling this for upstream, not just Red Hat.
> >
> > Keeping Anthony's address around in case he wants to be informed.
> >
> > Signed-off-by: Michael S. Tsirkin <address@hidden>
> 
> What about using address@hidden and creating that as a
> moderated mailing list with no public archive?
> 
> That way there's a single contact point and there can be many people
> backing it up to make sure that disclosures are handled very quickly.
> 
> Regards,
> 
> Anthony Liguori

Also I'd like a more explicit name, we don't want general
security related discussions on that list.
address@hidden

?

> > ---
> >  MAINTAINERS | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 34b8c3f..713546f 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -52,6 +52,12 @@ General Project Administration
> >  ------------------------------
> >  M: Anthony Liguori <address@hidden>
> >
> > +Responsible Disclosure, Reporting Security Issues
> > +------------------------------
> > +M: Michael S. Tsirkin <address@hidden>
> > +M: Anthony Liguori <address@hidden>
> > +L: address@hidden
> > +
> >  Guest CPU cores (TCG):
> >  ----------------------
> >  Alpha
> > --
> > MST
> >