[SecurityworkGroup] Security response team - bug database needed
kurt.r.taylor at gmail.com
Wed Jun 16 23:08:18 AEST 2021
On 6/9/21 7:15 PM, Joseph Reynolds wrote:
> This is a followup to a discussion in the security working group meeting
> held 2021-06-09 agenda item 11.
> The security response team has difficulty tracking reported security
> vulnerabilities to closure and writing CVEs in a timely manner. Having
> a confidential bug tracker would help.
> Per Dick, the UEFI team uses bugzilla and has a restructured corner for
> the security response team: anyone can write a bug, but only security
> response team members can see it.
> What are the best practices? How do we get a bug tracker which only
> OpenBMC security response team members can read?
If I read this correctly, you are requesting a Bugzilla instance be
stood up to track security issues? Since we have no community project
budget to fund any type of hosting, nor any community interest to fund a
trust/budget, this would have to be a donated service. Maybe a
participating company would be willing to host and care for this service?
Alternatively, can the response team use a service that we already have?
Just thinking, I have no details, but maybe a new Github group/repo?
Kurt Taylor (krtaylor)
More information about the openbmc