User:Foxboron/Pre-Release Disclosure

From ArchWiki
Jump to navigation Jump to search

The following text is the Pre-Release Disclosure of Vulnerability Information. The Arch Linux Security Team keeps track of which developers have agreed to this document and will involve them accordingly on any non-public vulnerabilities that are disclosed to Arch Linux.


Pre-Release Disclosure of Vulnerability Information

Security team receives information from various security sources for the
ability of the linux distributions to be able to prepare with patches
and updates for the public announcement of the vulnerabilities. We would
like to include you in this early release notification providing you
agree to the following which describes how this information is to be
handled.

Arch Linux is allowed the access and membership to the pre-release
vulnerability information contingent on the agreement that we (Arch
Linux) will not disclose this information prior to the public
announcement date of the vulnerability. If we do not follow this we
(Arch Linux) will lose our membership.

The restricted information that is disclosed to you as part of being the
maintainer that the restricted package belongs to.

As an agreement to receiving this information you agree to the
following:

(i) The information that you obtain as part of the pre-release
notification is not to be shared with anyone besides the security team
members, and the other recipients of the notification email. If another
member of a project, or a member of another project is needed to assist
in the remediation of the vulnerability please notify the security team
of person or project that can assist with the pre-release vulnerability.
The security team will be able to make the decision on a case-by-case
basis if we will include the developer in the pre-release notification,
and have them agree to this document. Please do not disclose the
vulnerability information to anyone before communicating with security
team members as stated above. Information should be kept [TLP:RED]

(ii) All communication about the pre-release information is to be
handled through encrypted (OpenPGP) channels. This information is not to
be discussed on non-encrypted medium such as IRC, other chat programs,
or through non-encrypted email. OpenPGP keyblocks need to be verified to
be used as part of communication.

(iii) As a maintainer of the package you will be available to evaluate
the vulnerability within the time frame (typically 7 to 14 days), and
communicate your decisions, concerns, etc to the security team through
the encrypted channels (see ii). If you are not available due to an
extended away, and you are a lead of a project, please nominate another
person as part of the project that is reliable and would be willing to
acknowledge this document.

(iv) Please note that the subject field is not part of the encrypted
data as part of OpenPGP and is public metadata. As such please do not
change or add to the subject that is started by the security team member
as part of the notification.

(v) Patches are not to be kept on public version control sources, or
Arch Linux repositories available to anyone else. Testing of the patches
must be in a staged private environment isolated to your system. These
patches should only be made available publicly after the public release
date of the vulnerability.

(vi) Unless directly specified in the pre-release announcement the
deployment of the patches and/or mitigations described in the
pre-release announcement is NOT permitted to any system during the
embargo. For development systems please see (v).

Arch Linux Security Team
Email: security@archlinux.org

Signing this document

The above document, from and including the header, should be signed with the following command gpg --armor --detach-sign document.txt and sent to security@archlinux.org.

References

References

[TLP:RED]

https://www.us-cert.gov/tlp and
https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Credits

This document is based on the Gentoo's Pre-Release Disclosure available under the terms of the Creative Commons Attribution-Share Alike 3.0 Unported license.