Type: User Story
Priority: P2: Important
Users of and contributors to the Qt project expect a professional security policy to be documented by the Qt Project.
Such a policy needs to document:
- how the project expects to be notified about security issues
- how the project will respond to such notifications
- which routines the project has established to proactively discover and prevent vulnerabilities
- how confirmed vulnerabilities and exposures will be published
As of now, the Security Policy lives on a wiki page at https://wiki.qt.io/Qt_Project_Security_Policy where some of these points are answered.
However, some of the existing processes are not following industry standards. For example, announcing confirmed vulnerabilities via firstname.lastname@example.org does not result in an entry in the "Common Vulnerabilities and Exposures" (CVE) database.
In addition, some established processes are not documented; for example, The Qt Company regularly executes fuzzing and auditing, including source code review and static code analysis.
Formally, the Qt project has established Qt's Utilitarian Improvement Process (QUIP, see http://quips-qt-io.herokuapp.com) to document such processes in a standardized and auditable way. This policy should be migrated into a QUIP.