You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/community/security.md
+24-2Lines changed: 24 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,6 +33,22 @@ The oVirt community will fix only issues related to [the most recent released ve
33
33
***Triage:** We will investigate and notify you if the report is accepted as a vulnerability.
34
34
***Fix & Disclosure:** We follow a 90-day disclosure policy, but we aim to release fixes as quickly as possible.
35
35
36
+
### New issues in oVirt vs. vulnerabilities in other projects {#new-issues-in-ovirt-vs-vulnerabilities-in-other-projects}
37
+
38
+
The private reporting flow and Security Manager checklist below focus on **new, not-yet-public vulnerability reports in oVirt's own code**,
39
+
including requesting a CVE when appropriate.
40
+
41
+
If someone reports that oVirt is affected by a problem **in another project** oVirt depends on:
42
+
43
+
***Already public:** You do **not** need a new oVirt-specific CVE.
44
+
Assess impact on oVirt, validate fixes, and communicate to the community using the **existing CVE ID** (and upstream references as needed).
45
+
***Not yet publicly disclosed:** Coordinate with the **maintainers of the vulnerable project** so that oVirt does not publish details
46
+
before the agreed disclosure time, and so announcements use the **correct CVE ID**.
47
+
CVE reservation and assignment are handled by the **CNA for that upstream project**, not as a separate oVirt-only CVE.
48
+
49
+
The steps that follow (private advisory, embargo, **Request CVE** in GitHub) apply to **undisclosed issues in oVirt code**.
50
+
Impact assessment, fix validation, and community disclosure still apply in all cases.
51
+
36
52
### Security advisories
37
53
38
54
The security advisories are visible in the **Security** tab of the relevant repository.
@@ -59,9 +75,15 @@ The security advisories are visible in the **Security** tab of the relevant repo
59
75
{{site.data.alerts.end}}
60
76
*[ ]**The CI Workaround**:
61
77
* As of early 2026, GitHub Actions often do not run by default on temporary private forks for safety.
62
-
***Manual Step**: You may need to manually trigger a local build/test or create a separate private repository within the oVirt organization for extensive CI testing if the private fork's limitations hinder you.
63
-
*[ ]**Request CVE**:
78
+
***Manual Step**: You may need to manually trigger a local build/test or create a separate private repository within
79
+
the oVirt organization for extensive CI testing if the private fork's limitations hinder you.
80
+
*[ ]**Request CVE** (for **new** vulnerabilities in oVirt code):
64
81
* Click the "Request CVE ID" button. GitHub (acting as the CNA) will usually assign a CVE-YEAR-XXXXX identifier within 24–48 hours. Keep this draft.
82
+
{{site.data.alerts.important}}
83
+
Skip this when the issue is already covered by a CVE from another project;
84
+
reference that CVE in advisories and community communication instead
85
+
(see [New issues in oVirt vs. vulnerabilities in other projects](#new-issues-in-ovirt-vs-vulnerabilities-in-other-projects) above).
86
+
{{site.data.alerts.end}}
65
87
66
88
3. Downstream Pre-Notification (1–2 Weeks before Release)
0 commit comments