Organization of the X.Org security team

How are security issues handled ?

Generally, security issues are reported to xorg-security@. When CERT, iDefense or one of the other groups reports an issue, someone on the list takes the lead to co-ordinate it (this has typically been Matthieu or Alan). The usual procedure follows: agree on an unembargo date, try to get it fixed, etc, etc.

When we go public, announcements are made on the X.Org wiki Security page, the xorg-announce mailing list, and the oss-security mailing list.

Handling secrecy

xorg-security@ is a private list, and security related problems can be marked as private in gitlab (although this will restrict read access to X.Org team members on, not only to members of xorg-security@).

How are the fixes tested and by who (before made public)?

As a number of vendors are members of the xorg-security list, we rely on tests done by them. Past experience has shown that they don't test things too much (they do read patches though).