[SecurityworkGroup] Security response team - bug database needed
jrey at linux.ibm.com
Tue Jun 22 05:02:56 AEST 2021
On 6/16/21 8:08 AM, krtaylor wrote:
> On 6/9/21 7:15 PM, Joseph Reynolds wrote:
>> This is a followup to a discussion in the security working group
>> meeting held 2021-06-09 agenda item 11.
>> The security response team has difficulty tracking reported security
>> vulnerabilities to closure and writing CVEs in a timely manner.
>> Having a confidential bug tracker would help.
>> Per Dick, the UEFI team uses bugzilla and has a restructured corner
>> for the security response team: anyone can write a bug, but only
>> security response team members can see it.
>> What are the best practices? How do we get a bug tracker which only
>> OpenBMC security response team members can read?
> If I read this correctly, you are requesting a Bugzilla instance be
> stood up to track security issues? Since we have no community project
> budget to fund any type of hosting, nor any community interest to fund
> a trust/budget, this would have to be a donated service. Maybe a
> participating company would be willing to host and care for this service?
Yes, I believe other security response teams use Bugzilla. I believe
that would work for OpenBMC. A Bugzilla hosted by one of the TSC member
companies works for me.
> Alternatively, can the response team use a service that we already
> have? Just thinking, I have no details, but maybe a new Github
> Kurt Taylor (krtaylor)
More information about the openbmc