This page describes the list of things to do when going from a reported bug to a released advisory.
- Read through this first: https://github.com/RedHatProductSecurity/CVE-HOWTO, it outlines most of the processes required.
- File a bug in the bugzilla and make sure that "Only users in all of the selected groups can view this bug: is set to the X.Org security team and that the bug is assigned to the X.Org security team (firstname.lastname@example.org) before submitting the bug. Both must be done to keep the bug private.
- Figure out a catchy descriptive title such as "Procotol handling issues in servers", "Information leak in X servers", "Use after free in handling of ...". The Advisory list has a list of them to get ideas.
- Email email@example.com with a subject of "CVE request for blah" where blah is the title you selected. See the CVE-HOWTO linked above what to include. They will give you a CVE number to use for this advisory.
- Decide on an embargo date. Usually the embargo date is one week, two for fixes that are more involved. Note that the embargo starts once you email the distros mailing list. Don't make the embargo date a Friday, Saturday, Sunday or Monday. Historically, embargos ended on a Tuesday, it's the most time-zone-compatible day of the week.
- Send a message to firstname.lastname@example.org with the subject "DRAFT: X.Org Security Advisory: CVE-XXXX-YYYY: blah". CC the reporter. Take one of the existing messages as example (look through the xorg-announce archives, adjust as needed. 1.1 Allow for some feedback time + the embargo date (i.e. usually this means at least 2 weeks in total)
- Once the feedback time is over, send a message to email@example.com with the subject "[vs] Preview of X.Org Security Advisory for date" where date is the embargo end date. CC the reporter. The [vs] must be in the subject line to get past the spam filters
Dear Distro security teams:
X.Org plans to release the following security advisory and patch on date at time and timezone
As always, if you have any feedback, questions, or suggestions, please let firstname.lastname@example.org (our private security contact list) know.
*** EMBARGOED: Please keep confidential until date and time + timezone ***
INCLUDE ADVISORY TEXT HERE
- Start preparing the patches, notify the master and stable branch maintainers
- On the day of the embargo, notify the master branch maintainer to push the patches
- Add the cgit commit links to the advisory text
- Send an email to xorg-announce with CC to xorg and xorg-devel with the subject line "X.Org Security Advisory: CVE-XXXX-YYYY: blah"" with blah being the title and the advisory text as content. CC the reporter.
- Forward the announcement to email@example.com (the public counterpart to the private distros list).
- Edit the Security page to include the advisory.
- Make the bug report public by removing the visibility restrictions