From ec3ac717cf93803833aaefdbc09a16bf20ed1897 Mon Sep 17 00:00:00 2001 From: Samuli Piippo Date: Thu, 15 May 2025 11:25:28 +0300 Subject: [PATCH] SECURITY.md: add file Add details about Qt Project security policy. The SECURITY.md file is now required by the yocto-check-layer script. Pick-to: 6.9 6.8 Change-Id: Icbcd63bb15c0d106b1bde4c2b9c43aebe1031797 Reviewed-by: Mikko Gronoff Reviewed-by: Inkamari Harjula Reviewed-by: Ari Parkkila --- SECURITY.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..52a56cc --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,26 @@ +Qt Project Security Policy +========================== + +The Qt Project specifies its security policy in [QUIP 15](https://contribute.qt-project.org/quips/15). A summary of the security policy: + +* Qt has a Core Security Team that enforces the security policy and addresses issues. +* Proactive measures to prevent security issues - code reviews, code analysis, fuzz testing, and so on. +* Reporting Security Issues: the Core Security Team monitors security issues for Qt modules and affected third-party components. +* Handling Security Issues: the maintainers, Core Security Team, Chief Maintainer, and the Qt Company share and handle security issues. +* Disclosure of confirmed security issues at Common Vulnerabilities and Exposures database and a public announcement to the Qt announce@qt-project.org mailing list. + +Reporting Security Issues +------------------------- + +To report security issues in Qt Products, send an email to Security Mail List at security@qt-project.org. +The Core Security Team monitors and moderates incoming emails on business days (excluding weekends). +After sending an email to the Security Mail List, there will be an acknowledgment of receipt within +two business days. If there is no response, then the reporter should contact the Chief Maintainer directly. + +What Versions of Qt are Covered by this Policy? +----------------------------------------------- + +While we are interested in reports against any Qt version that is still maintained, fixes are only guaranteed to be provided for: + +* The latest released version. +* The preceding minor version.