|
|
TODO |
|
|
\ No newline at end of file |
|
|
Discovered QUIQQER Vulnerabilities and Exposures (QVE) should be named after the following standard:
|
|
|
|
|
|
QVE-<Project-ID>-<Year of discovery>-<Vulnerability ID (incremented)>
|
|
|
|
|
|
- `<Project-ID>`: ID of the project/repository. Can be found here: ![image](uploads/d77baf426f00cec9689de3aff0394e53/image.png)
|
|
|
- `<Year of discovery>`: The year the vulnerability was discovered
|
|
|
- `Vulnerability ID (incremented)`: The first vulnerability gets the ID 1. The following vulnerabilities get the next bigger number (incremental).
|
|
|
|
|
|
Example: `QVE-12-2019-3`
|
|
|
This describes the **third** security vulnerability in the quiqqer/quiqqer project (ID **12**) discovered in the year **2019**.
|
|
|
|
|
|
-------------------
|
|
|
|
|
|
When creating an issue for this vulnerability one should:
|
|
|
- add the QVE-ID to the issue's title.
|
|
|
Example: `Everyone can revoke CRON-service registration (QVE-71-2019-1)`
|
|
|
- tag the issue with the `QVE`-QUIQQER-group-label
|
|
|
- tag the issue with the `Security`-QUIQQER-group-label
|
|
|
- mark the issue as confidential if it's a severe vulnerability
|
|
|
- mark the issue as public when the vulnerability is fixed
|
|
|
- assign the issue to the last person that actively committed to the project |
|
|
\ No newline at end of file |