= QtWebKit Security Policy =

!QtWebKit follows WebKit's security policy, which is documented in http://www.webkit.org/security/

The !QtWebKit project makes only source-code releases and is not responsible for delivering binary updates to end users. The end-users should get their updates from their respective vendor (Linux distributions, device vendor, etc).

!QtWebKit-2.2.0 is up-to-date regarding security vulnerabilities found in the WebKit codebase. Later updates on the 2.2 series will include security fixes and their announcements will be listed on this page.

== Security Announcements ==

Security reports are sent to the [http://lists.qt.nokia.com/mailman/listinfo/qtwebkit-announce QtWebKit Announcements mailing list]. Below is a list of announcements made so far:

  * None yet (this will be a list of links to the announcements mailing list)

=== Preparing Security Announcements ===

Part of the release-notes of patch-level releases (such as !QtWebKit-2.2.1, !QtWebKit-2.2.2, etc) should be dedicated to the security problems which have been fixed. It's standard procedure to include a list of security issues fixed (including the CVE Id) and give credit to the researchers who discovered and reported it.

Examples of security announcements:
   * [http://googlechromereleases.blogspot.com/2011/08/stable-channel-update_22.html Google Chrome]
   * [http://support.apple.com/kb/HT4808 Apple Safari]

The list of security bugs fixed in the branch since the last release can be extracted from the git changelog using the {{{cherry-pick-into-release-branch.py}}} script. For example, to extract a list of all security issues fixed from the tag {{{qtwebkit-2.2.0}}} until now (notice you'll need proper bugzilla privileges):

{{{
$ cherry-pick-into-release-branch.py --no-git-pull --list-only --security-bugs-from qtwebkit-2.2.0..
}}}

With this list in hand, we can go to Bugzilla and find out, manually:
  * The CVE Id of the issue;
  * The researchers who should receive credit.

Once the release notes is ready, it should be sent to the [mailto:security@webkit.org WebKit Security mailing list] for peer review. Preferably one or two days before making it public. Exceptions and any topics regarding the security policy can be also discussed there.