[Development] Evolving the Qt Project Security Policy
Volker Hilsheimer
volker.hilsheimer at qt.io
Wed May 22 11:01:33 CEST 2019
Hi all,
the Qt Project Security Policy is currently documented as a wiki page at [1]. Since QUIPs are the official way to document processes, I’m proposing that we are moving the policy to a QUIP.
As a starting point, this will be a rst-ified version of the current wiki page:
https://codereview.qt-project.org/c/meta/quips/+/262502
In addition, we have also been discussing a few aspects in The Qt Company where we would like to see the policy evolve, such as:
* the integration of CVE handling into the process of disclosing vulnerabilities
* the documentation of security-relevant software engineering processes that The Qt Company operates today, such as external code audits or fuzzing; evolving such processes should be part of the discussion
* reviewing the way the core security team is operating
See https://bugreports.qt.io/browse/QTWEBSITE-860 for details. I’d be very happy about all contributions.
Note that for the moment, the scope of this continues to be Qt itself, rather than surrounding infrastructure and processes.
Cheers,
Volker
[1] https://wiki.qt.io/Qt_Project_Security_Policy
More information about the Development
mailing list