From 1adef4a8788763dc416284f610efd4d566be1fad Mon Sep 17 00:00:00 2001
From: Pamplemousse <xav.maso@gmail.com>
Date: Mon, 15 Mar 2021 12:17:28 -0700
Subject: documentation: Add content about Vulnerability roundups

Signed-off-by: Pamplemousse <xav.maso@gmail.com>
---
 doc/contributing/vulnerability-roundup.chapter.md | 45 +++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 doc/contributing/vulnerability-roundup.chapter.md

(limited to 'doc/contributing/vulnerability-roundup.chapter.md')

diff --git a/doc/contributing/vulnerability-roundup.chapter.md b/doc/contributing/vulnerability-roundup.chapter.md
new file mode 100644
index 00000000000..d451420f981
--- /dev/null
+++ b/doc/contributing/vulnerability-roundup.chapter.md
@@ -0,0 +1,45 @@
+# Vulnerability Roundup {#chap-vulnerability-roundup}
+
+## Issues {#vulnerability-roundup-issues}
+
+Vulnerable packages in Nixpkgs are managed using issues.
+Currently opened ones can be found using the following:
+
+[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22)
+
+Each issue correspond to a vulnerable version of a package; As a consequence:
+
+- One issue can contain several CVEs;
+- One CVE can be shared across several issues;
+- A single package can be concerned by several issues.
+
+
+A "Vulnerability roundup" issue usually respects the following format:
+
+```txt
+<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>
+
+<list of related CVEs, their CVSS score, and the impacted NixOS version>
+
+<list of the scanned Nixpkgs versions>
+
+<list of relevant contributors>
+```
+
+Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.
+
+
+## Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing}
+
+**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable).
+If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.
+
+If you are investigating a "true positive":
+
+- Find the earliest patched version or a code patch in the CVE details;
+- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch?
+  - **No**:
+    - [Submit a security fix](#submitting-changes-submitting-security-fixes);
+    - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches);
+  - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches).
+- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).
-- 
cgit 1.4.1