The following text is the Pre-Release Disclosure of Vulnerability Information. The Arch Linux Security Team keeps track of which developers have agreed to this document and will involve them accordingly on any non-public vulnerabilities that are disclosed to Arch Linux.
Pre-Release Disclosure of Vulnerability Information
Security team receives information from various security sources for the ability of the linux distributions to be able to prepare with patches and updates for the public announcement of the vulnerabilities. We would like to include you in this early release notification providing you agree to the following which describes how this information is to be handled.
Arch Linux is allowed the access and membership to the pre-release vulnerability information contingent on the agreement that we (Arch Linux) will not disclose this information prior to the public announcement date of the vulnerability. If we do not follow this we (Arch Linux) will lose our membership.
The restricted information that is disclosed to you as part of being the maintainer that the restricted package belongs to.
As an agreement to receiving this information you agree to the following:
(i) The information that you obtain as part of the pre-release notification is not to be shared with anyone besides the security team members, and the other recipients of the notification email. If another member of a project, or a member of another project is needed to assist in the remediation of the vulnerability please notify the security team of person or project that can assist with the pre-release vulnerability. The security team will be able to make the decision on a case-by-case basis if we will include the developer in the pre-release notification, and have them agree to this document. Please do not disclose the vulnerability information to anyone before communicating with security team members as stated above. Information should be kept [TLP:RED]
(ii) All communication about the pre-release information is to be handled through encrypted (OpenPGP) channels. This information is not to be discussed on non-encrypted medium such as IRC, other chat programs, or through non-encrypted email. OpenPGP keyblocks need to be verified to be used as part of communication.
(iii) As a maintainer of the package you will be available to evaluate the vulnerability within the time frame (typically 7 to 14 days), and communicate your decisions, concerns, etc to the security team through the encrypted channels (see ii). If you are not available due to an extended away, and you are a lead of a project, please nominate another person as part of the project that is reliable and would be willing to acknowledge this document.
(iv) Please note that the subject field is not part of the encrypted data as part of OpenPGP and is public metadata. As such please do not change or add to the subject that is started by the security team member as part of the notification.
(v) Patches are not to be kept on public version control sources, or Arch Linux repositories available to anyone else. Testing of the patches must be in a staged private environment isolated to your system. These patches should only be made available publicly after the public release date of the vulnerability.
(vi) Unless directly specified in the pre-release announcement the deployment of the patches and/or mitigations described in the pre-release announcement is NOT permitted to any system during the embargo. For development systems please see (v).
Arch Linux Security Team
Signing this document
The above document, from and including the header, should be signed with the following command
gpg --armor --detach-sign document.txt and sent to email@example.com.
This document is based on the Gentoo's Pre-Release Disclosure available under the terms of the Creative Commons Attribution-Share Alike 3.0 Unported license.