canmove, Confirmed users
640
edits
Security/Bug Approval Process: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
==Purpose: don't 0-day ourselves== | |||
People watch our check-ins. If the patch is an obvious security fix, the check-in comment says "security fix", or the testcase shows how to trigger a vulnerability someone may be able to start exploiting our users before we were planning to ship that fix. | |||
==Principle: assume the worst== | |||
* If there's no rating we assume it could be critical | |||
* If we don't know the regression range we assume it needs porting to all supported branches | |||
==Procedure== | |||
For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]] | For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]] | ||