Uploaded image for project: 'Qt Project Website'
  1. Qt Project Website
  2. QTWEBSITE-860

Security Policy Renewal



    • Type: User Story
    • Status: In Progress
    • Priority: P2: Important
    • Resolution: Unresolved
    • Component/s: qt-project.org
    • Labels:


      Users of and contributors to the Qt project expect a professional security policy to be documented by the Qt Project.

      Such a policy needs to document:

      • how the project expects to be notified about security issues
      • how the project will respond to such notifications
      • which routines the project has established to proactively discover and prevent vulnerabilities
      • how confirmed vulnerabilities and exposures will be published

      As of now, the Security Policy lives on a wiki page at https://wiki.qt.io/Qt_Project_Security_Policy where some of these points are answered.

      However, some of the existing processes are not following industry standards. For example, announcing confirmed vulnerabilities via announce@qt-project.org does not result in an entry in the "Common Vulnerabilities and Exposures" (CVE) database.

      In addition, some established processes are not documented; for example, The Qt Company regularly executes fuzzing and auditing, including source code review and static code analysis.

      Formally, the Qt project has established Qt's Utilitarian Improvement Process (QUIP, see http://quips-qt-io.herokuapp.com) to document such processes in a standardized and auditable way. This policy should be migrated into a QUIP.


        No reviews matched the request. Check your Options in the drop-down menu of this sections header.



            • Assignee:
              vhilshei Volker Hilsheimer
              vhilshei Volker Hilsheimer
            • Votes:
              0 Vote for this issue
              9 Start watching this issue


              • Created:

                Gerrit Reviews

                There are no open Gerrit changes