[Development] Evolving the Qt Project Security Policy

Richard Moore rich at kde.org
Fri Jul 12 21:25:08 CEST 2019

Hi Volker,

A few comments - I wrote the original policy and I'm happy that you're
taking the time to evolve it:

> In addition, we have also been discussing a few aspects in The Qt Company
> where we would like to see the policy evolve, such as:
> * the integration of CVE handling into the process of disclosing
> vulnerabilities

At the time of writing, getting a CVE was difficult as a result of
bottlenecks within the issuing process (see
https://lwn.net/Articles/679315/ for
background). These issues have now been resolved so I agree they should be
assigned. It may also be worth considering including a CVSS score.

> * the documentation of security-relevant software engineering processes
> that The Qt Company operates today, such as external code audits or
> fuzzing; evolving such processes should be part of the discussion

At the time of writing, these activities were not present. I'd be happy to
look at details of them and discuss. If we're going to then there should
also be some consideration made towards threat modelling and the
development of a loosely formalised SDLC.

> * reviewing the way the core security team is operating




> See https://bugreports.qt.io/browse/QTWEBSITE-860 for details. I’d be
> very happy about all contributions.
> Note that for the moment, the scope of this continues to be Qt itself,
> rather than surrounding infrastructure and processes.
> Cheers,
> Volker
> [1] https://wiki.qt.io/Qt_Project_Security_Policy
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20190712/02b8d62d/attachment.html>

More information about the Development mailing list