Project:Security/Pre-Release-Disclosure

''The following text is the Pre-Release Disclosure of Vulnerability Information. The Gentoo Security Team keeps track of which developers have agreed to this document and will involve them accordingly on any non-public vulnerabilities that are disclosed to Gentoo Linux.'' 

Pre-Release Disclosure of Vulnerability Information
Security team receives information from various security sources for the ability of the linux distributions to be able to prepare with patches and updates for the public announcement of the vulnerabilities. We would like to include you in this early release notification providing you agree to the following which describes how this information is to be handled.

Gentoo Linux Distribution is allowed the access and membership to the pre-release vulnerability information contingent on the agreement that we (Gentoo) will not disclose this information prior to the public announcement date of the vulnerability. If we do not follow this we (Gentoo) will loose our membership.

The restricted information that is disclosed to you as part of being the maintainer, or the lead of the Gentoo Project that the restricted package belongs to.

As an agreement to receiving this information you agree to the following:

(i) The information that you obtain as part of the pre-release notification is not to be shared with anyone besides the security team members, and the other recipients of the notification email. If another member of a project, or a member of another project is needed to assist in the remediation of  the vulnerability please notify the security team of person or project that can assist with the  pre-release vulnerability. The security team will be able to make the decision on a case-by-case basis if we will include the developer in the pre-release notification, and have them agree to this document. Please do not disclose the vulnerability information to anyone before communicating with security team members as stated above. Information should be kept [TLP:RED]

(ii) All communication about the pre-release information is to be handled through encrypted (OpenPGP) channels. This information is not to be discussed on non-encrypted medium such as IRC, other chat programs, or through non-encrypted email. OpenPGP keyblocks need to be verified to be used as part of communication.

(iii) If a pre-release security bug is opened for this vulnerability in Bugzilla (based on restriction of the source of the disclosure), it shall be a Confidential Vulnerability as per the Gentoo Security Vulnerability Treatment Policy [1].

(iv) As a maintainer of the package you will be available to evaluate the vulnerability within the time frame (typically 7 to 14 days), and communicate your decisions, concerns, etc to the security team through the encrypted channels (see ii). If you are not available due to an extended away, and you are a lead of a project, please nominate another person as part of the project that is reliable and would be willing to acknowledge this document.

(v) Please note that the subject field is not part of the encrypted data as part of OpenPGP and is public metadata. As such please do not change or add to the subject that is started by the security team member as part of the notification.

(vi) Patches are not to be kept on public GIT sources, or Gentoo repositories available to anyone else. Testing of the patches must be in a staged private environment isolated to your system. These patches should only be made available publicly after the public release date of the vulnerability.

(vii) Unless directly specified in the pre-release announcement the deployment of the patches and/or mitigations described in the pre-release announcement is NOT permitted to any system during the embargo. For development systems please see (vi).

Please reply back using an OpenPGP signed email message that you acknowledge the information provided. (Preference “I acknowledge thisdocument”).

Gentoo Security Team

Email: security@gentoo.org

References

[1] Gentoo Vulnerability Treatment Policy https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

[2] For this purpose all relevant keyblocks are included in this email, and it is acceptable to use LDAP data as source of identity matching to OpenPGP keyblocks.

[TLP:RED] https://www.us-cert.gov/tlp and https://en.wikipedia.org/wiki/Traffic_Light_Protocol