update source to Ceph Pacific 16.2.2

[ceph.git] / ceph / src / spdk / dpdk / doc / guides / contributing / vulnerability.rst

diff --git a/ceph/src/spdk/dpdk/doc/guides/contributing/vulnerability.rst b/ceph/src/spdk/dpdk/doc/guides/contributing/vulnerability.rst
index a4bef4857699da637f0b41253de60a4842c77e3c..b6300252ad29415f6f2bdca8d269a425fff21ea0 100644 (file)
--- a/ceph/src/spdk/dpdk/doc/guides/contributing/vulnerability.rst
+++ b/ceph/src/spdk/dpdk/doc/guides/contributing/vulnerability.rst
@@ -8,7 +8,7 @@ Scope
 -----
 
 Only the main repositories (dpdk and dpdk-stable) of the core project
-are in the scope of this security process.
+are in the scope of this security process (including experimental APIs).
 If a stable branch is declared unmaintained (end of life),
 no fix will be applied.
 
@@ -36,11 +36,11 @@ Report
 
 Do not use Bugzilla (unsecured).
 Instead, send GPG-encrypted emails
-to `security@dpdk.org <http://core.dpdk.org/security#contact>`_.
+to `security@dpdk.org <https://core.dpdk.org/security#contact>`_.
 Anyone can post to this list.
 In order to reduce the disclosure of a vulnerability in the early stages,
 membership of this list is intentionally limited to a `small number of people
-<http://mails.dpdk.org/roster/security>`_.
+<https://mails.dpdk.org/roster/security>`_.
 
 It is additionally encouraged to GPG-sign one-on-one conversations
 as part of the security process.
@@ -182,18 +182,26 @@ When the fix is ready, the security advisory and patches are sent
 to downstream stakeholders
 (`security-prerelease@dpdk.org <mailto:security-prerelease@dpdk.org>`_),
 specifying the date and time of the end of the embargo.
-The public disclosure should happen in **less than one week**.
+The communicated public disclosure date should be **less than one week**
 
 Downstream stakeholders are expected not to deploy or disclose patches
 until the embargo is passed, otherwise they will be removed from the list.
 
 Downstream stakeholders (in `security-prerelease list
-<http://mails.dpdk.org/roster/security-prerelease>`_), are:
+<https://mails.dpdk.org/roster/security-prerelease>`_), are:
 
 * Operating system vendors known to package DPDK
 * Major DPDK users, considered trustworthy by the technical board, who
   have made the request to `techboard@dpdk.org <mailto:techboard@dpdk.org>`_
 
+The `OSS security private mailing list mailto:distros@vs.openwall.org>` will
+also be contacted one week before the end of the embargo, as indicated by `the
+OSS-security process <https://oss-security.openwall.org/wiki/mailing-lists/distros>`
+and using the PGP key listed on the same page, describing the details of the
+vulnerability and sharing the patch[es]. Distributions and major vendors follow
+this private mailing list, and it functions as a single point of contact for
+embargoed advance notices for open source projects.
+
 The security advisory will be based on below template,
 and will be sent signed with a security team's member GPG key.
 
@@ -276,8 +284,9 @@ Releases on Monday to Wednesday are preferred, so that system administrators
 do not have to deal with security updates over the weekend.
 
 The security advisory is posted
-to `announce@dpdk.org <mailto:announce@dpdk.org>`_
-as soon as the patches are pushed to the appropriate branches.
+to `announce@dpdk.org <mailto:announce@dpdk.org>`_ and to `the public OSS-security
+mailing list <mailto:oss-security@lists.openwall.com>` as soon as the patches
+are pushed to the appropriate branches.
 
 Patches are then sent to `dev@dpdk.org <mailto:dev@dpdk.org>`_
 and `stable@dpdk.org <mailto:stable@dpdk.org>`_ accordingly.