Organization of the X.Org security team

How are security issues handled ?

Generally, security issues are reported to xorg-security@. When CERT, iDefense or one of the other groups reports an issue, someone on the list takes the lead to co-ordinate it (this has typically been Matthieu or Alan). The usual procedure follows: agree on an unembargo date, try to get it fixed, etc, etc.

In particular we work with the OSS-security distros list to coordinate issues with various vendors whenever possible.

When we go public, announcements are made on the X.Org wiki Security page, the xorg-announce mailing list, and the oss-security mailing list.

Handling secrecy

xorg-security@ is a private list, and security related problems can be marked as private in bugzilla.

How are the fixes tested and by who (before made public)?

In addition to tests that the people on the xorg_security list can perform, when we are able to share information with the distros list, we rely on tests done by vendors. Past experience has shown that they don't test things too much (they do read patches though).