[Development] Evolving the Qt Project Security Policy

Volker Hilsheimer volker.hilsheimer at qt.io
Wed May 22 11:01:33 CEST 2019

Hi all,

the Qt Project Security Policy is currently documented as a wiki page at [1]. Since QUIPs are the official way to document processes, I’m proposing that we are moving the policy to a QUIP.

As a starting point, this will be a rst-ified version of the current wiki page:


In addition, we have also been discussing a few aspects in The Qt Company where we would like to see the policy evolve, such as:

* the integration of CVE handling into the process of disclosing vulnerabilities
* the documentation of security-relevant software engineering processes that The Qt Company operates today, such as external code audits or fuzzing; evolving such processes should be part of the discussion
* reviewing the way the core security team is operating

See https://bugreports.qt.io/browse/QTWEBSITE-860 for details. I’d be very happy about all contributions.

Note that for the moment, the scope of this continues to be Qt itself, rather than surrounding infrastructure and processes.


[1] https://wiki.qt.io/Qt_Project_Security_Policy

More information about the Development mailing list