You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by jl...@apache.org on 2013/06/04 00:16:45 UTC
svn commit: r1489205 - /cloudstack/site/trunk/content/security.mdtext
Author: jlk
Date: Mon Jun 3 22:16:45 2013
New Revision: 1489205
URL: http://svn.apache.org/r1489205
Log:
Correcting markdown bullet list, tweaked intro text
Modified:
cloudstack/site/trunk/content/security.mdtext
Modified: cloudstack/site/trunk/content/security.mdtext
URL: http://svn.apache.org/viewvc/cloudstack/site/trunk/content/security.mdtext?rev=1489205&r1=1489204&r2=1489205&view=diff
==============================================================================
--- cloudstack/site/trunk/content/security.mdtext (original)
+++ cloudstack/site/trunk/content/security.mdtext Mon Jun 3 22:16:45 2013
@@ -2,7 +2,7 @@ Title: Apache CloudStack: Security
## Apache CloudStack Security
-The Apache CloudStack project understands that as a core infrastructure project, the application security of Apache CloudStack is of critical importance.
+The Apache CloudStack project understands that as a core infrastructure project, the application security of Apache CloudStack is of critical importance to the community and users.
### Apache CloudStack Security Team
@@ -22,28 +22,34 @@ The security team asks that you **please
### Procedure for Responding to Potential Security Issues
-* Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
-* Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
-* If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid.
-* If issue is confirmed as a CloudStack vulnerability:
-** Security team notifies the Apache Security team
-** Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
-** Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
-** Security team works with Apache Security Team to reserve a CVE Identifier for future public release
-** Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
-** Testing is conducted to verify patch mitigates issue and does not cause regression errors
-** Security team creates a vulnerability announcement
-** Patch is committed to trunk and other supported branches that are affected. The commit should not refer to a particular vulnerability.
-** A new CloudStack release or hotfix is prepared and tested, containing the new security patch.
-** Distributor coordination is implemented to enable a coordinated announcement.
-** Security team posts vulnerability announcement to...
-*** CloudStack dev list
-*** CloudStack users list
-*** CloudStack Security alerts web page
-*** The Bugtraq mailing list
-** After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
-** Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
-* After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.
+<ul>
+ <li> Upon receiving notice of a potential security issue, a security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
+ <li> Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
+ <li> If the issue is determined not to be a vulnerability the reporter will be notified and the issue will be closed as invalid.
+ <li> If issue is confirmed as a CloudStack vulnerability:
+ <ul>
+ <li> Security team notifies the Apache Security team
+ <li> Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
+ <li> Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
+ <li> Security team works with Apache Security Team to reserve a CVE Identifier for future public release
+ <li> Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
+ <li> Testing is conducted to verify patch mitigates issue and does not cause regression errors
+ <li> Security team creates a vulnerability announcement
+ <li> Patch is committed to trunk and other supported branches that are affected. The commit should not refer to a particular vulnerability.
+ <li> A new CloudStack release or hotfix is prepared and tested, containing the new security patch.
+ <li> Distributor coordination is implemented to enable a coordinated announcement.
+ <li> Security team posts vulnerability announcement to...
+ <ul>
+ <li> CloudStack dev list
+ <li> CloudStack users list
+ <li> CloudStack Security alerts web page
+ <li> The Bugtraq mailing list
+ </ul>
+ <li> After announcement, CHANGES and NEWS files need to be updated to reflect the vulnerability and fix. This must happen AFTER the announcement.
+ <li> Also after announcement, modify the Jira ticket so that the issue is now publicly viewable.
+ </ul>
+ <li> After the vulnerability is addressed, the CloudStack community should review development processes to see how the community can minimize the chance of similar vulnerabilities being introduced in the future.
+</ul>
### For further information