The below process describes the actions that the rust-vmm maintainers need to take when they are disclosed on a security vulnerability via the security disclosure process.
- If during the process it becomes apparent there is no security impact, shift to treating as a public issue.
- When updating the changelog in the private fork under a security advisory use the advisory ID to
prefix the change description in the changelog e.g.
## v0.12.1 ### Changed - [[GHSA-875g-mfp6-g7f9](https://github.com/rust-vmm/vmm-sys-util/security/advisories/GHSA-875g-mfp6-g7f9)] Fixed a bug in serde implementation of FamStructWrapper which allowed out of bounds memory access from Rust-safe code. - Do not yank versions of crates. This is to avoid complication and forcing additional work on users. A security conscious project is expected to be aware of security vulnerabilties via tooling such as cargo-audit.
- Due to the CI setup it is required bypass branch protections to merge fixes implemented in private forks under security advisories.
┌────────────┐
│Issue posted│
└─┬──────────┘
│
┌─▼───────────────────────┐
│Reply with acknowledgment│
└─┬───────────────────────┘
│
────┼────────────────────────────────────Cross within 24 hours
│
┌─▼──────────┐
│Assess issue│
└─┬──────────┘
│
┌─▼───────────────────┐
│Reply with assessment│
└─┬───────────────────┘
│
┌─▼──────────────────────────────┐
│Decide embargo (minimum 2 weeks)│
└─┬──────────────────────────────┘
│
┌─┴────────────────────────────┐
│Reply to reporter with embargo│
└─┬────────────────────────────┘
│
────┼────────────────────────────────────Cross within 48 hours
│
┌─▼─────────────────┐
│Allocate CVE number│
└─┬─────────────────┘
│
┌─▼─────────────────┐
│Fix in private fork│
└─┬─────────────────┘
│
┌─┴────────────────────────────────────────┐
│Backport fix to supported release branches│
└─┬────────────────────────────────────────┘
│
┌─▼───────────────────────────────────┐
│Write regression test in private fork│
└─┬───────────────────────────────────┘
│
┌─┴──────────────────────────┐
│Reply to reporter with fixes│
└─┬──────────────────────────┘
│
────┼────────────────────────────────────Cross within 5 days
│
│ ┌───────┐
│ │ │
┌─▼──────────┴──┐ │
│Embargo passed?│ No
└─┬──────────▲──┘ │
│ │ │
Yes └───────┘
│
┌─▼───────────────────────────┐
│Publish private fixes & tests│
└─┬───────────────────────────┘
│
┌─▼─────────────┐
│Create releases│
└─┬─────────────┘
│
┌─▼─────────┐
│Publish CVE│
└─┬─────────┘
│
┌─▼──────────────────────┐
│Publish RustSec advisory│
└─┬──────────────────────┘
│
┌─▼──┐
│Done│
└────┘