-This policy describes how security related issues are handled after they have -been reported to security@kde.org. -
--Issues that are brought to the attention of security@kde.org are handled -discreetly. The issue will be verified and the author/maintainer of the -affected code will usually be contacted. If the issue is indeed considered to -be a problem the need for an immediate fix is assessed. The security team -will also notify affected parties which are known to reuse the affected code. -
--If an immediate fix is not considered necessary a security alert is issued via -BugTraq and kde-announce@kde.org and will usually be fixed in the next released version of the software. -
--If an immediate fix is considered necessary, KDE release coordinators are contacted and -KDE vendor packagers, Linux distributors and other prenotification mailing lists -are informed once a fix is available that has passed review on security@kde.org. -We then give them a reasonable amount of -time to prepare binary packages. After that time we issue a security alert -via BugTraq and kde-announce@kde.org. Patches in source form and -any available updated binaries are published at the same time. -
--All security alerts are published on http://www.kde.org/info/security/. -
--KDE developers that want to join security@kde.org can send a request -to security@kde.org. Applications will be evaluated on a case by case basis by -the current members. The main criteria is the extent to which someone can be -helpful in excuting the security policy as described here. That includes a -willingness not to disclose issues prematurely. -
- - -