[SecurityworkGroup] Security response team - bug database needed

Joseph Reynolds jrey at linux.ibm.com
Tue Jun 22 05:02:56 AEST 2021

On 6/16/21 8:08 AM, krtaylor wrote:
> On 6/9/21 7:15 PM, Joseph Reynolds wrote:
>> This is a followup to a discussion in the security working group 
>> meeting held 2021-06-09 agenda item 11.
>> The security response team has difficulty tracking reported security 
>> vulnerabilities to closure and writing CVEs in a timely manner.  
>> Having a confidential bug tracker would help.
>> Per Dick, the UEFI team uses bugzilla and has a restructured corner 
>> for the security response team: anyone can write a bug, but only 
>> security response team members can see it.
>> What are the best practices? How do we get a bug tracker which only 
>> OpenBMC security response team members can read?
> If I read this correctly, you are requesting a Bugzilla instance be 
> stood up to track security issues? Since we have no community project 
> budget to fund any type of hosting, nor any community interest to fund 
> a trust/budget, this would have to be a donated service. Maybe a 
> participating company would be willing to host and care for this service?

Yes, I believe other security response teams use Bugzilla.  I believe 
that would work for OpenBMC.  A Bugzilla hosted by one of the TSC member 
companies works for me.

- Joseph

> Alternatively, can the response team use a service that we already 
> have? Just thinking, I have no details, but maybe a new Github 
> group/repo?
> Kurt Taylor (krtaylor)
>> Joseph

More information about the openbmc mailing list