This page describes the process for handling security issues when they are reported via the tor-security@torproject.org alias. It describes who is responsible what they are responsible for and the process that will be followed from initial submission to resolution.
This page describes the process for handling security issues when they are reported via the `security@torproject.org` alias. It describes who is responsible what they are responsible for and the process that will be followed from initial submission to resolution.
# Security point people
# Security point people
...
@@ -8,15 +8,15 @@ Each team lead identifies a security point person from their team to be the resp
...
@@ -8,15 +8,15 @@ Each team lead identifies a security point person from their team to be the resp
# OpenPGP role key
# OpenPGP role key
A [Tor Security "role" OpenPGP key](process/engineering/SecurityRoleKey) is generated for the uid tor-security@torproject.org and its fingerprint is published on the [Tor Project's help pages](https://support.torproject.org/misc/bug-or-feedback) detailing how to report a security issues. It is up to the reporter to encrypt the mail to the alias with this key, encryption is encouraged, but not required.
A [Tor Security "role" OpenPGP key](process/engineering/SecurityRoleKey) is generated for the uid `security@torproject.org` and its fingerprint is published on the [Tor Project's help pages](https://support.torproject.org/misc/bug-or-feedback) detailing how to report a security issues. It is up to the reporter to encrypt the mail to the alias with this key, encryption is encouraged, but not required.
The OpenPGP secret key material for the tor-security@torproject.org UID is distributed to the security point people, so they can decrypt any encrypted mail.
The OpenPGP secret key material for the `security@torproject.org` UID is distributed to the security point people, so they can decrypt any encrypted mail.
If an individual who is a security point person is no longer working with Tor, or needs to otherwise rotate out of this role, then they are to be replaced with a new person from that team and the key material is rotated and redistributed.
If an individual who is a security point person is no longer working with Tor, or needs to otherwise rotate out of this role, then they are to be replaced with a new person from that team and the key material is rotated and redistributed.
# Intake process
# Intake process
When a security issue arrives to tor-security@, the team security point person should create a confidential issue in the appropriate gitlab project, with the `Security` label. If this person is on vacation, then another point-person could optionally step in and route the issue to the correct team.
When a security issue arrives to `security@`, the team security point person should create a confidential issue in the appropriate gitlab project, with the `Security` label. If this person is on vacation, then another point-person could optionally step in and route the issue to the correct team.
Teams should then begin an evaluation process to determine its relative severity and priority.
Teams should then begin an evaluation process to determine its relative severity and priority.
