1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
This page describes the list of things to do when going from a reported bug to a released advisory.
0. Read through this first: [https://github.com/RedHatProductSecurity/CVE-HOWTO](https://github.com/RedHatProductSecurity/CVE-HOWTO), it outlines most of the processes required.
1. <del>File a bug in the bugzilla and make sure that *"Only users in all of the selected groups can view this bug:* is set to the X.Org security team and that the bug is assigned to the X.Org security team (xorg_security@x.org) **before submitting the bug**. Both must be done to keep the bug private.</del>
1. Figure out a catchy descriptive title such as *"Procotol handling issues in servers"*, *"Information leak in X servers"*, *"Use after free in handling of ..."*. The [[Advisory list|/Development/Security/]] has a list of them to get ideas.
1. Email **secalert@redhat.com** with a subject of *"CVE request for **blah**"* where **blah** is the title you selected. See the CVE-HOWTO linked above what to include. They will give you a CVE number to use for this advisory.
1. Decide on an embargo date. Usually the embargo date is one week, two for fixes that are more involved. Note that the embargo starts once you email the distros mailing list. Don't make the embargo date a Friday, Saturday, Sunday or Monday. Historically, embargos ended on a Tuesday, it's the most time-zone-compatible day of the week.
1. Send a message to **xorg-security@lists.x.org** with the subject *"DRAFT: X.Org Security Advisory: CVE-XXXX-YYYY: **blah**"*. CC the reporter. Take one of the existing messages as example (look through the [xorg-announce archives](http://lists.x.org/archives/xorg-announce/), adjust as needed.
1.1 Allow for some feedback time + the embargo date (i.e. usually this means at least 2 weeks in total)
1. Once the feedback time is over, send a message to **[[distros@vs.openwall.org|http://oss-security.openwall.org/wiki/mailing-lists/distros]]** with the subject *"[vs] Preview of X.Org Security Advisory for **date**"* where **date** is the embargo end date. CC the reporter. The *[vs]* must be in the subject line to get past the spam filters
> Dear Distro security teams:
>
> X.Org plans to release the following security advisory and patch on **date**
> at **time and timezone**
>
> As always, if you have any feedback, questions, or suggestions, please
> let xorg-security@lists.x.org (our private security contact list) know.
>
> \*\*\* EMBARGOED: Please keep confidential until **date** and **time + timezone** \*\*\*
>
> INCLUDE ADVISORY TEXT HERE
1. Start preparing the patches, notify the master and stable branch maintainers
1. On the day of the embargo, notify the master branch maintainer to push the patches
1. Add the gitlab commit links to the advisory text
1. Send an email to **xorg-announce** with CC to **xorg** and **xorg-devel** with the subject line *"X.Org Security Advisory: CVE-XXXX-YYYY: **blah**"*" with **blah** being the title and the advisory text as content. CC the reporter.
1. Forward the announcement to **[[oss-security@lists.openwall.com|http://oss-security.openwall.org/wiki/mailing-lists]]** (the public counterpart to the private distros list).
1. Edit the [[Security|/Development/Security]] page to include the advisory.
1. <del>Make the bug report public by removing the visibility restrictions</del>
|
