[cvs] [Wiki] created: SecurityManagement

[Chuck Hagenbuch]

chuck  Tue, 05 Feb 2008 23:24:53 -0500

Created page: http://wiki.horde.org/SecurityManagement

+ Security Management

Like all software, Horde sometimes has bugs that impact security. This page
is an attempt to lay out procedures for handling them as gracefully as
possible.

++ Reporting new issues

We ask that researchers and others who discover security problems report
them to security at horde.org. As an all volunteer project there are no
absolute guarantees, but the Horde Project will attempt to respond to all
valid reports within 24 hours with an acknowledgment and requests for any
additional needed information.

++ Timelines

The time required to release a fix will vary depending on the complexity of
the issue. We will stay in communication with vendors throughout the
development and testing process for fixes, and we ask reporters to stay in
communication with the Horde Project (through the security at horde.org alias).
Any help from reporters with testing fixes is doubly appreciated.

++ Confidentiality

Information provided by reporters is a courtesy to the Horde Project and
will be kept confidential in order to do coordinated releases of both the
disclosure and new fixed versions.

++ Early notification

In order to achieve a coordinated release with packagers that bundle Horde
for distribution, a restricted mailing list is available:
http://lists.horde.org/mailman/listinfo/vendor. Membership in this list is
moderated and the archives are private in order to maintain confidentiality.

++ Release

Finally, we will coordinate new releases with the reporter and the vendor
mailing list. Releases will clearly state that they contain security fixes.