Auditing

Differences between revisions 6 and 7
Revision 6 as of 2011-09-22 02:33:52
Size: 1759
Editor: jdstrand
Comment:
Revision 7 as of 2019-01-17 21:00:02
Size: 2152
Editor: alexmurray
Comment:
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
 0. A member of the SecurityTeam will assign the bug to him or herself and change the bug status to 'In Progress'.
 0. When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign him or herself, and add a comment as to the results of the audit.		  0. A member of the SecurityTeam will change the bug status to 'In Progress'. In addition, they will also create an appropriate card in the private Security Team trello board (if one does not already exist) and ensure members from the team that requested the MIR are also subscribed to the card, move this to the Work In Progress queue and comment on the card that they will be handling it.
 0. When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign {{{ubuntu-security}}}, and add a comment as to the results of the audit. An appropriate comment should also be made on the trello card and the card should be moved to the DONE queue.

Introduction

The SecurityTeam is sometimes asked to perform source code auditing, typically during the MainInclusionProcess. Due to time constraints, only a high-level audit is performed for Main Inclusion Reports (MIRs).

While every effort is made to perform the audit within a timely fashion, please remember fixing vulnerabilities and proactive security development are the primary focus of the SecurityTeam.

List of bugs waiting for audit.

List of all MIR bugs.

MIR Process

  1. When a source package needs an audit from the SecurityTeam, the bug is assigned to ubuntu-security with a comment asking for the package to be reviewed.

  2. A member of the SecurityTeam will change the bug status to 'In Progress'. In addition, they will also create an appropriate card in the private Security Team trello board (if one does not already exist) and ensure members from the team that requested the MIR are also subscribed to the card, move this to the Work In Progress queue and comment on the card that they will be handling it.

  3. When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign ubuntu-security, and add a comment as to the results of the audit. An appropriate comment should also be made on the trello card and the card should be moved to the DONE queue.

If the bug requires more information, the SecurityTeam member should mark the bug status as 'Incomplete', without changing who the bug is assigned to.

CategoryProcess

SecurityTeam/Auditing (last edited 2023-07-11 07:58:02 by iosifache)