Explicitly note that experimental APIs also part of security process.
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
Clarify that a fixed date will be used for end of embargo (public
disclosure) date while communicating with downstream stakeholders.
Initial document got a review that it gives an impression that
communicated embargo date can be a range like 'less than a week' which
is not the case. The range applies when defining the end of the embargo
date but a fix date will be communicated.
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
The OSS-security project functions as a single point of contact for
pre-release, embargoed security notifications. Distributions and major
vendors are subscribed to this private list, so that they can be warned
in advance and schedule the work required to fix the vulnerability.
List and link this process in the DPDK security process document.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
In case a vulnerability is discovered, the process to follow
is described in this document.
It has been inspired by the process of some referenced projects
and with the help of experts from Intel, RedHat, Mellanox
and the Linux Foundation.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Luca Boccassi <bluca@debian.org>
