--- xml/htdocs/security/en/vulnerability-policy.xml	2009/04/14 00:06:25	1.21
+++ xml/htdocs/security/en/vulnerability-policy.xml	2012/02/02 11:06:00	1.24
@@ -14,6 +14,9 @@
 <author title="Author">
   <mail link="rbu@gentoo.org">Robert Buchholz</mail>
 </author>
+<author title="Author">
+  <mail link="a3li@gentoo.org">Alex Legler</mail>
+</author>
 
 <abstract>
 This document describes the policy used in Gentoo Linux to treat
@@ -25,8 +28,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>1.2.7</version>
-<date>2009-04-14</date>
+<version>1.4</version>
+<date>2012-02-02</date>
 
 <chapter>
 <title>Scope</title>
@@ -45,7 +48,7 @@
 </p>
 
 <p>
-For this reason, the security team separates Gentoo architectures into two
+For this reason, the Security Team separates Gentoo architectures into two
 groups, <b>supported</b> and <b>unsupported</b>:
 </p>
 
@@ -106,34 +109,19 @@
 </body>
 </section>
 <section>
-<title>Release Engineering</title>
-<body>
-<p>
-The Release Engineering ("releng") project appoints a developer to be the
-primary point of contact for security issues.
-</p>
-<p>
-Release Engineering informs the Gentoo Security Project when a first tree 
-snapshot is taken for media releases. Beginning with the first snapshot until 
-the official media release ("release preparation period"), Release Engineering 
-(the appointed security liaison in case of confidential issues) should be cc'd 
-on each security bug entering the stabilization phase.
-</p>
-</body>
-</section>
-<section>
 <title>Kernels</title>
 <body>
 
 <p>
-Currently kernels are not covered by the GLSA release process.
+Kernels are not covered by the GLSA release process.
 Vulnerabilities must still be reported and will be fixed, but 
-<e>no GLSA will be issued</e> when everything is solved.
+<b>no GLSA will be issued</b> when everything is solved.
 </p>
 
 <note>
-This policy should be changed when new tools are added to cover
-security vulnerabilities affecting the different kernel sources.
+The <uri link="http://git.overlays.gentoo.org/gitweb/?p=proj/kernel-check.git;a=summary">kernel-check</uri>
+utility is being developed to provide Kernel security information.
+This policy should be updated accordingly when it is ready.
 </note>
 
 </body>
@@ -148,13 +136,13 @@
 newer (~ARCH) ebuild, but the older (stable) packages are not affected, or when
 the package has never had any stable ebuilds in the tree.
 In this case the vulnerability must still be reported and will be fixed, but 
-<e>no GLSA will be issued</e> when everything is solved.
+<b>no GLSA will be issued</b> when everything is solved.
 </p>
 
 <note>
 This policy might be changed when our tools support more complex
 upgrade paths and if a sufficient number of GLSA coordinators join
-the security team.
+the Security Team.
 </note>
 
 </body>
@@ -174,7 +162,7 @@
 <mail link="security@gentoo.org">security@gentoo.org</mail>).
 Major security lists should have official scouts assigned to them which
 should ensure that all vulnerabilities announced on these lists get a
-security bugzilla entry.
+security Bugzilla entry.
 </p>
 
 </body>
@@ -185,24 +173,24 @@
 
 <p>
 Confidential vulnerabilities (for example coming from developer's direct
-communication or restricted vendor-sec lists) should follow a specific
-procedure. They should not appear as a public
-bugzilla entry, but only in security-restricted media like a private
-bugzilla section or the GLSAMaker tool. They should get
-corrected using private communication channels between the GLSA coordinator
-and the package maintainer.
+communication or restricted lists) must follow a specific procedure.
+They should not appear as a public bugzilla entry, but only in 
+security-restricted media like a private bugzilla section or the GLSAMaker tool.
+They should get corrected using private communication channels between the GLSA
+coordinator and the package maintainer.
 </p>
 
 <note>
 Communication for confidential vulnerabilities should be properly encrypted.
-They should be sent to specific security team members and encrypted with
-their GPG key. The list of the security team members is available at 
+They should be sent to specific Security Team members and encrypted with
+their GPG key. The list of the Security Team members is available at 
 <uri link="http://security.gentoo.org">security.gentoo.org</uri>, their key
 IDs can be looked up on the
 <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">Gentoo
 Linux Developers List</uri>
 and their keys can be retrieved from the
 <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri> keyserver.
+The use of IRC and other unencrypted messaging methods is discouraged.
 </note>
 
 </body>
@@ -312,7 +300,7 @@
 
 <p>
 Here is the table of the resulting severity levels. They should be set
-to the bugzilla severity level of the same name:
+to the Bugzilla severity level of the same name:
 </p>
 
 <table>
@@ -389,22 +377,27 @@
 
 <p>
 During this phase it may be necessary to ask the reporter for details. The bug
-remains with status NEW as long as necessary. When (if) the bug passes these
-sanity tests, it should be accepted and the bug wrangler should do the
-following:
+remains with status UNCONFIRMED or CONFIRMED as long as necessary.
+When (if) the bug passes these sanity tests, it should be marked as IN_PROGRESS 
+and the bug wrangler should do the following:
 </p>
 
 <ul>
 <li>rename the bug so that it includes category/package-name at start
-    (for example: "net-mail/clamav: DoS using RAR files")</li>
+    (for example: <e>net-mail/clamav: DoS using RAR files</e>)</li>
+<li>remove version information in the bug title if there is no fixed version
+    available. Bug titles like <e>&lt;=category/package-1.2.3</e>, where 1.2.3
+    is the latest version of the package, should be avoided.</li>
 <li>evaluate and assign a severity level (see above)</li>
-<li>set the status to ASSIGNED</li>
+<li>set the status to IN_PROGRESS</li>
 <li>seed the status whiteboard to the correct severity code and status</li>
 <li>cc package maintainers to the bug according to package metadata</li>
 <li>set the URL field to an upstream bug or similar</li>
-<li>search for reserved or assigned CVE identifier and add it to the bug title, request a CVE otherwise</li>
-<li>optionally assign a GLSA coordinator for the bug, by adding the
-    coordinator name to the status whiteboard</li>
+<li>search for a reserved or assigned CVE identifier and add it to the bug title,
+    request a CVE otherwise</li>
+<li>enter the bug number in the CVE tracker (given the wrangler has access to it)</li>
+<li>set the Alias field to the CVE identifier.
+    In case there are multiple identifiers, use the first one.</li>
 </ul>
 
 <warn>
@@ -451,8 +444,8 @@
 <li>if a fix is available, get the package maintainer involved to produce and
     commit an ebuild containing the fix and set status whiteboard to <c>ebuild</c></li>
 <li>once an ebuild is committed, evaluate what keywords are needed for the fix
-    ebuild and get arch-specific teams to test and mark
-    the ebuild stable on their architectures (arch-teams should be cc'd on
+    ebuild and get arch-specific Teams to test and mark
+    the ebuild stable on their architectures (arch teams should be cc'd on
     the bug, as well as releng during release preparation) and set status 
     whiteboard to <c>stable</c></li>
 <li>arch-maintainers should mark the ebuild stable if there is no regression
@@ -464,7 +457,7 @@
 
 <note>
 If the bug makes progress and the assigned GLSA coordinator does not react,
-the other members of the security team can help keeping the bug rolling by
+the other members of the Security Team can help keeping the bug rolling by
 updating its status.
 </note>
 
@@ -486,19 +479,19 @@
     <c>stable+</c> and <c>glsa+</c></li>
 <li>if no upstream fix is available (<c>upstream+</c> status), a decision must
     be taken on masking the
-    package: the security team can mask a package which is not depended on by
-    itself, but need a TLP manager approval before masking a package which is
+    package: The Security Team can mask a package which is not depended on by
+    itself, maintainers should be consulted before masking a package which is
     not standalone</li>
 <li>if the maintainer/herd does not show up for producing the ebuild during 48
-    hours after summoning (<c>ebuild+</c> status), the security team should
+    hours after summoning (<c>ebuild+</c> status), the Security Team should
     try to bump the ebuild by itself</li>
 <li>if testing and marking stable takes too much time (<c>stable+</c> status),
-    the security team will shout on IRC channels and gentoo-dev list to get
+    the Security Team will shout on IRC channels and gentoo-dev list to get
     more testers. It will either mark the ebuild stable by itself or, in the
     event this cannot be done due to stability issues, mask it (see security
     masking approval policy above)</li>
 <li>if the GLSA coordinator does not show up to draft a GLSA (<c>glsa+</c>
-    status), then another member of the security team should draft the GLSA
+    status), then another member of the Security Team should draft the GLSA
     and submit it to peer review</li>
 </ul>
 
@@ -534,6 +527,10 @@
 <title>Temporary GLSAs</title>
 <body>
 
+<note>
+This is no longer common practice.
+</note>
+
 <p>
 If a <e>blocker</e> or <e>critical</e> or <e>major</e> vulnerability cannot
 totally be corrected in the target delay,
@@ -562,7 +559,7 @@
 
 <p>
 Once ready, a GLSA should be submitted to peer review. At least two members
-of the security team must approve the draft GLSA. Once the draft passes the
+of the Security Team must approve the draft GLSA. Once the draft passes the
 peer review process, it should be assigned an official GLSA number.
 </p>
 
@@ -600,28 +597,6 @@
   </ti>
 </tr>
 <tr>
-  <ti>Bugtraq security mailing-list</ti>
-  <ti>
-  <mail link="bugtraq@securityfocus.com">bugtraq@securityfocus.com</mail>
-  </ti>
-</tr>
-<tr>
-  <ti>Full-disclosure security mailing-list</ti>
-  <ti>
-  <mail link="full-disclosure@lists.grok.org.uk">
-  full-disclosure@lists.grok.org.uk
-  </mail>
-  </ti>
-</tr>
-<tr>
-  <ti>Linuxsecurity.com advisories service</ti>
-  <ti>
-  <mail link="security-alerts@linuxsecurity.com">
-  security-alerts@linuxsecurity.com
-  </mail>
-  </ti>
-</tr>
-<tr>
   <ti>Gentoo Linux announcement forum</ti>
   <ti><uri>http://forums.gentoo.org/viewforum.php?f=16</uri></ti>
 </tr>
@@ -633,7 +608,6 @@
 
 <ul>
 <li>The <c>To:</c> field must be set to gentoo-announce</li>
-<li>The <c>Cc:</c> filed must contain the other email addresses</li>
 <li>The <c>From:</c> and <c>Return-Path:</c> must be set to the GLSA
     coordinator @gentoo.org address</li>
 <li>The <c>Subject:</c> field must be "[ GLSA XXXXYY-ZZ ] Your vulnerability
@@ -645,7 +619,7 @@
 <note>
 Developer key IDs can be found on the Gentoo Linux
 <uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">
-Developer list</uri>. All the security team GPG keys are published on public
+Developer list</uri>. All the Security Team GPG keys are published on public
 key servers, including (but not limited to)
 <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri>.
 </note>
@@ -655,10 +629,19 @@
 handled by an automatic poster when it receives the announcement.
 </note>
 
+<note>
+Starting Feb 2, 2012, we have decied to no longer CC any third parties.
+The gentoo-announce mailing list has little other traffic, so that they
+should be subscribed there. General security mailing lists such as full-
+disclosure or bugtraq are not our target audience, and having various
+distributions send notices about the same issues is not of any use to most
+readers there, they too should be on gentoo-announce.
+</note>
+
 <p>
 When the GLSA has been published the corresponding bugzilla bug should be
 resolved as FIXED, with the GLSA number referenced in the comments section
-of the bug.
+of the bug. GLSAMaker 2 offers this option after releasing the advisory.
 </p>
 
 </body>
@@ -712,3 +695,4 @@
 </section>
 </chapter>
 </guide>
+<!-- vim: set et noai inde=: -->