Uploaded image for project: 'Qt Project Website'
  1. Qt Project Website
  2. QTWEBSITE-860

Security Policy Renewal

    XMLWordPrintable

Details

    • User Story
    • Resolution: Done
    • P2: Important
    • None
    • None
    • qt-project.org
    • None
    • 9ae3fa87202ef657f907276465c90c195bf07a81

    Description

      Users of and contributors to the Qt project expect a professional security policy to be documented by the Qt Project.

      Such a policy needs to document:

      • how the project expects to be notified about security issues
      • how the project will respond to such notifications
      • which routines the project has established to proactively discover and prevent vulnerabilities
      • how confirmed vulnerabilities and exposures will be published

      As of now, the Security Policy lives on a wiki page at https://wiki.qt.io/Qt_Project_Security_Policy where some of these points are answered.

      However, some of the existing processes are not following industry standards. For example, announcing confirmed vulnerabilities via announce@qt-project.org does not result in an entry in the "Common Vulnerabilities and Exposures" (CVE) database.

      In addition, some established processes are not documented; for example, The Qt Company regularly executes fuzzing and auditing, including source code review and static code analysis.

      Formally, the Qt project has established Qt's Utilitarian Improvement Process (QUIP, see http://quips-qt-io.herokuapp.com) to document such processes in a standardized and auditable way. This policy should be migrated into a QUIP.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            vhilshei Volker Hilsheimer
            vhilshei Volker Hilsheimer
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes