Skip to content

CVE workbench policy

Jump to bottom Edit New page
Brenda J. Butler edited this page Dec 14, 2013 · 3 revisions

When a vulnerability is discovered against Openswan, and it becomes necessary for Openswan work to be done in a private fashion, then the following policy is in force for the Openswan developers working on the Vulnerability fix:

  • Xelerance is to be made aware of the vulnerability via the email vuln AT xelerance.com
  • Xelerance will create a repository called "Openswan-cve-" by following https://help.github.com/articles/duplicating-a-repository
  • Xelerance will make the "Openswan-cve-" repository private by following https://help.github.com/articles/making-a-public-repository-private
  • Xelerance will create a branch named: "cve--"
  • Developers working on the vulnerability fix are to send their public SSH keys AND/OR their Github IDs to vuln AT xelerance.com
  • Xelerance will assign developers to the private repository by following https://help.github.com/articles/how-do-i-add-a-collaborator
  • Developers will clone the private repository
  • Developers will work locally on the CVE, and will test locally. If Developers wish to save work in progress to be seen by other developers on the private repository, then the Developers can push into a personal branch on the private "Openswan-cve-" repository.
  • Once the Developer is satisfied of the stability of his code, the Developer can merge into master on the private "Openswan-cve-" repository.
  • Once all developers are satisfied on the completeness of the vulnerability fix and the stability of the added code, a release email can be sent to vuln AT xelerance.com
  • Xelerance will pull the vulnerability fix from the private repository.
  • Xelerance will write a CVE announcement.
  • Xelerance will prepare a new version of Openswan locally.
  • On a stated day, Xelerance will announce the CVE, push the fix source into the public Openswan repository, tag a new version, and make a new Openswan version available to be downloaded.
  • On the next day, Xelerance will remove the private "Openswan-cve-" repository by following https://help.github.com/articles/deleting-a-repository
Add a custom footer
Add a custom sidebar
Clone this wiki locally