[SecurityworkGroup] Security response team - bug database needed

krtaylor kurt.r.taylor at gmail.com
Wed Jun 16 23:08:18 AEST 2021


On 6/9/21 7:15 PM, Joseph Reynolds wrote:
> This is a followup to a discussion in the security working group meeting 
> held 2021-06-09 agenda item 11.
> 
> 
> The security response team has difficulty tracking reported security 
> vulnerabilities to closure and writing CVEs in a timely manner.  Having 
> a confidential bug tracker would help.
> Per Dick, the UEFI team uses bugzilla and has a restructured corner for 
> the security response team: anyone can write a bug, but only security 
> response team members can see it.
> What are the best practices? How do we get a bug tracker which only 
> OpenBMC security response team members can read?

If I read this correctly, you are requesting a Bugzilla instance be 
stood up to track security issues? Since we have no community project 
budget to fund any type of hosting, nor any community interest to fund a 
trust/budget, this would have to be a donated service. Maybe a 
participating company would be willing to host and care for this service?

Alternatively, can the response team use a service that we already have? 
Just thinking, I have no details, but maybe a new Github group/repo?

Kurt Taylor (krtaylor)

> 
> Joseph
> 



More information about the openbmc mailing list