Auditing

Introduction

The SecurityTeam is sometimes asked to perform source code auditing, typically during the MainInclusionProcess. Due to time constraints, only a high-level audit is performed for Main Inclusion Reports (MIRs).

While every effort is made to perform the audit within a timely fashion, please remember fixing vulnerabilities and proactive security development are the primary focus of the SecurityTeam.

List of bugs waiting for audit.

List of all MIR bugs.

MIR Process

  1. When a source package needs an audit from the SecurityTeam, the bug is assigned to ubuntu-security with a comment asking for the package to be reviewed.

  2. A member of the SecurityTeam will assign the bug to him or herself and change the bug status to 'In Progress'.

  3. When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign him or herself, and add a comment as to the results of the audit.

If the bug requires more information, the SecurityTeam member should mark the bug status as 'Incomplete', without changing who the bug is assigned to.


CategoryProcess

SecurityTeam/Auditing (last edited 2011-09-22 02:33:52 by jdstrand)