Current state

We do not have reliable mechanism for our users, open source nor commercial, to discover safety critical features or bug fixes for Qt framework (or other products).

Wiki: There is a wiki List of known vulnerabilities in Qt Products but it is a wiki, not fully in control by Qt RnD. Also, the list does not match JIRA.

JIRA: Filter https://bugreports.qt.io/issues/?jql=labels%20in%20(SecurityIssue%2C%20security)%20AND%20type%20%3D%20Bug%20ORDER%20BY%20created%20DESC should find all issues but it is based on labels, and those are super unreliable (anyone can add, remove, typos etc). This should be fixed under QTPMO-2383 thus dependency.

Blog: The Qt Blog is consistently tagging security advisories under "security" tag https://www.qt.io/blog/tag/security but there is also "cybersecurity" tag that is for CRA related news and that is confusing. Also, blog is not part of product documentation, and this channel is not under same RnD scrutity as e.g. documentation.

Doc: Has a new page for Security https://doc.qt.io/qt-6/security.html but it is currently linking to the above mentioned wiki.

Customer Portal: As part of ESM Customer Portal will have a section for Qt 5.15 security patches, that could be basis for commercial customers future vulnerability dashboard. Done under QTBSI-2646 and QTPMO-2091 <-- Must have implemented a mechanism to identify which links to pick from Gerrit.

Desired state

Either Customer Portal (for both commercial and open source users) or Documentation has a page where one can find, and search per (minor and maintenance) release, per platform, etc with other relevant criterias on known vulnerabilities. Detailed seach may happen on JIRA, too (depending on QTPMO-2383)

Same mechanism and proces can be used for all products; Qt framework and tools, QQUL,  QDS, Axivion, Squish, Coco, TC etc.

This depends on QTPMO-2381 Define process for updating Qt Framework security-critical documentation.