Auditing
Contents |
Introduction
The SecurityTeam is sometimes asked to perform source code auditing, typically during the MainInclusionProcess. Due to time constraints, only a high-level audit is performed for Main Inclusion Reports (MIRs).
While every effort is made to perform the audit within a timely fashion, please remember fixing vulnerabilities and proactive security development are the primary focus of the SecurityTeam.
List of bugs waiting for audit.
MIR Process
When a source package needs an audit from the SecurityTeam, the bug is assigned to ubuntu-security with a comment asking for the package to be reviewed.
A member of the SecurityTeam will change the bug status to 'In Progress'. In addition, they will also create an appropriate card in the private Security Team trello board (if one does not already exist) and ensure members from the team that requested the MIR are also subscribed to the card, move this to the Work In Progress queue and comment on the card that they will be handling it.
When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign ubuntu-security, and add a comment as to the results of the audit. An appropriate comment should also be made on the trello card and the card should be moved to the DONE queue.
If the bug requires more information, the SecurityTeam member should mark the bug status as 'Incomplete', without changing who the bug is assigned to.