wiki:QtWebKitSecurity

Version 5 (modified by Ademar Reis, 12 years ago) (diff)

--

QtWebKit Security Policy

QtWebKit follows WebKit's security policy, which is documented in http://www.webkit.org/security/

QtWebKit-2.2.0 is up-to-date regarding security vulnerabilities found in the WebKit codebase. Later updates on the 2.2 series will include security fixes and their announcements will be listed on this page.

Security Announcements

  • None yet (this will be a list of links to the announcements mailing list)

Preparing Security Announcements

Part of the release-notes of patch-level releases (such as QtWebKit-2.2.1, QtWebKit-2.2.2, etc) should be dedicated to the security problems which have been fixed. It's standard procedure to include a list of security issues fixed (including the CVE Id) and give credit to the researchers who discovered and reported it.

Examples of security announcements:

The list of security bugs fixed in the branch since the last release can be extracted from the git changelog using the cherry-pick-into-release-branch.py script. For example, to extract a list of all security issues fixed from the tag qtwebkit-2.2.0 until now: (notice you'll need proper bugzilla privileges)

$ cherry-pick-into-release-branch.py --no-git-pull --list-only --security-bugs-from qtwebkit-2.2.0..

With this list in hand, we can go to Bugzilla and find out, manually:

  • The CVE Id of the issue;
  • The researchers who should receive credit;

Once the release notes is ready, it should be sent to the WebKit Security Mailing List for peer review. Preferably one or two days before making it public.

Exceptions should always be discussed in the WebKit Security Mailing List.