= Organization of the X.Org security team =

== How are security issues handled ? ==

Generally, security issues are reported to xorg-security@. 
When CERT, iDefense or one of the other
groups reports an issue, someone on the list takes the lead to
co-ordinate it (this has typically been Matthieu).  The usual procedure
follows: agree on an unembargo date, try to get it fixed, etc, etc.

In particular we work with the vendor-sec list
to coordinate issues with various vendors whenever possible.

== Handling secrecy ==

xorg-security@ is a private list, and security related problems can be marked as private in bugzilla.

== How are the fixes tested and by who (before made public)? ==

In addition to tests that the people on the xorg_security list can
perform, when we are able to share information with vendor-sec, we rely
on tests done by vendors. Past experience has shown that they don't test
things too much (they do read patches though).