wiki:QtWebKitSecurity

Version 6 (modified by ademar.reis@openbossa.org, 3 years ago) (diff)

--

QtWebKit Security Policy

QtWebKit follows WebKit's security policy, which is documented in http://www.webkit.org/security/

The QtWebKit project makes only source-code releases and is not responsible for delivering binary updates to end users. The end-users should get their updates from their respective vendor (Linux distributions, device vendor, etc).

QtWebKit-2.2.0 is up-to-date regarding security vulnerabilities found in the WebKit codebase. Later updates on the 2.2 series will include security fixes and their announcements will be listed on this page.

Security Announcements

Security reports are sent to the QtWebKit Announcements mailing list

  • None yet (this will be a list of links to the announcements mailing list)

Preparing Security Announcements

Part of the release-notes of patch-level releases (such as QtWebKit-2.2.1, QtWebKit-2.2.2, etc) should be dedicated to the security problems which have been fixed. It's standard procedure to include a list of security issues fixed (including the CVE Id) and give credit to the researchers who discovered and reported it.

Examples of security announcements:

The list of security bugs fixed in the branch since the last release can be extracted from the git changelog using the cherry-pick-into-release-branch.py script. For example, to extract a list of all security issues fixed from the tag qtwebkit-2.2.0 until now: (notice you'll need proper bugzilla privileges)

$ cherry-pick-into-release-branch.py --no-git-pull --list-only --security-bugs-from qtwebkit-2.2.0..

With this list in hand, we can go to Bugzilla and find out, manually:

  • The CVE Id of the issue;
  • The researchers who should receive credit;

Once the release notes is ready, it should be sent to the WebKit Security mailing list for peer review. Preferably one or two days before making it public. Exceptions and any topic regarding the security policy can be also discussed there.