<?php 
    $title="WebKit Security Policy";
    include("../header.inc"); 
?>
<h2>WebKit Security Policy</h2>
<h3>How To Report Security Bugs</h3>
<ol>
    <li><b>Reporting an issue:</b> Start by filing a bug in the Security product in the WebKit
    bug database,
    at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
    Bugs in the Security product will have special access controls
    that restrict who can view and alter the bug; only members of
    the WebKit Security Group and the originator will have access
    to the bug. 
    <li><b>Scope of disclosure:</b>
    If you would like to limit further dissemination of the
    information in the bug report, please say so in the
    bug. Otherwise the WebKit Security Group may share information
    with other vendors if we find they may be affected by the same
    vulnerability. The WebKit Security Group will handle the
    information you provide responsibly. See the other sections of
    this document for details.
    <li><b>Getting feedback:</b>
    We cannot guarantee a prompt human response to every security
    bug filed. If you would like immediate feedback on a security
    issue, or would like to discuss details with members of the
    WebKit Security Group, please
    email <a href="mailto:security@webkit.org">security@webkit.org</a>
    and include a link to the relevant Bugzilla bug. Your message
    will be acknowledged within a week at most. 

    <p>The current member list will be published at 
    <a href="security-group-members.html">http://webkit.org/security/security-group-members.html</a>.</p>
</ol>

<h3>How To Join the WebKit Security Group</h3>

<ol>
    <li>
    <b>Criteria:</b> Nominees for WebKit Security Group
    membership should meet at least one of the following criteria:

    <br>
    Individuals:
    <ul>
        <li>
        The nominee specializes in fixing WebKit security related bugs or often participates in their exploration and resolution.
        <li>
        The nominee has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
        <li>
        The nominee is a web technology expert who has specific interests in knowing
        about, resolving, and preventing future security
        vulnerabilities.
    </ul>
    Vendor contacts:
    <ul>
        <li>
        The nominee represents an organization or
        company which ships products that include their own copy of
        WebKit. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes.
    </ul>

    <li><b>Nomination process:</b> Anyone who feels they meet these criteria can nominate
    themselves by mailing <a href="mailto:security@webkit.org">security@webkit.org</a>,
    or may be nominated by a third party such as an existing
    WebKit Security Group member.  The nomination email should state whether the nominee is 
    nominated as an individual or as a vendor contact and clearly describe the grounds for nomination.

    <li><b>Choosing new members:</b> If a nomination for Security
    Group membership is supported by at least three existing Security
    Group members (either one initial nomination and two seconds, or
    in the case of self-nomination, three seconds), then it carries
    within 5 business days unless an existing member of the Security Group objects. 
    If an objection is raised, the WebKit Security Group members should discuss
    the matter and try to come to consensus; failing this, the nomination will succeed 
    only by majority vote of the WebKit Security Group.  After a vote is called for 
    on the mailing list, voting will be open for 5 business days.

    <li><b>Accepting membership:</b> Before new WebKit Security Group
    membership is finalized, the successful nominee should accept
    membership and agree to abide by this security policy,
    particularly Privileges and Responsibilities of WebKit Security Group members.

    <li><b>Duration of membership:</b> Vendor contacts will only remain members
    as long as their position with that vendor remains the same.  Individuals will remain members
    indefinitely until they resign or their membership is terminated.

</ol>

<h3>Privileges and Responsibilities of WebKit Security Group Members</h3>

<ul>
    <li><b>Access:</b> WebKit Security Group members will be subscribed to
    a private mailing list, <a href="mailto:security@webkit.org">security@webkit.org</a>.  
    It will be used for technical discussions of security bugs, as well as process discussions about
    matters such as disclosure timelines and group membership. 
    Members will also have access to all bugs in the Security product in the WebKit bug database.

    <li><b>Confidentiality:</b> Members of the WebKit Security Group
    will be expected to treat WebKit security vulnerability
    information shared with the group as confidential until publicly
    disclosed:

    <ul>
        <li>
        Members should not disclose Security bug information to
        non-members unless the member is employed by the vendor
        of a WebKit based product, in which case information can be
        shared within that organization on a need-to-know basis and
        handled as confidential information normally is within that
        organization. The one exception to this rule is that members may
        share vulnerabilities with vendors of non-WebKit based products
        if their product suffers from the same issue and the reporter has
        not explicitly requested this not be done. The non-WebKit vendor 
        should be asked to respect the issue's embargo date, and to not 
        share the information beyond the need-to-know people within their
        organization.
        <li>

        Members should not post any information about Security bugs in public forums.
    </ul>

    <li><b>Disclosure:</b> The WebKit Security Group will negotiate an
    embargo date for public disclosure for each new Security bug, with a
    default minimum time limit of 60 days. An embargo may be lifted
    before the agreed-upon date if all vendors planning to ship a fix
    have already done so, and if the reporter does not object. The
    agreed-upon embargo date will be communicated to the reporter
    through the bug
    at <a href="https://bugs.webkit.org">https://bugs.webkit.org</a>.
</ul>

<h3>Termination of WebKit Security Group Membership</h3>
<ul>
    <li>Members of the WebKit Security Group may voluntarily end their membership at any time, for any reason.
    
    <li>Inactive members who are no longer reachable via e-mail at the address 
    associated with their group membership will be removed from the WebKit Security Group.
        
    <li>A member who joined the group as a vendor contact who is no longer associated with that vendor will be
    removed from the WebKit Security Group.  The person may be re-nominated as an individual expert or as a vendor contact
    for another organization.
    
    <li>If a member of the WebKit Security Group does not act in
    accordance with the letter and spirit of this policy, then their
    WebKit Security Group membership can be revoked by a majority vote of the
    members, not including the person under consideration for
    revocation.  After a member calls for a revocation vote on the mailing list,
    voting will be open for 5 business days.
    <ul>
    <li><b>Emergency suspension:</b> A WebKit Security Group member who blatantly
    disregards the WebKit Security Policy may have their membership
    temporarily suspended on the request of any two members.  In such
    a case, the requesting members should notify the security mailing
    list with a description of the offense. At this point, membership
    will be temporarily suspended for one week, pending outcome of the
    vote for permanent revocation.
    </ul>

</ul>

<h3>Changes to the Policy</h3>

<p>The WebKit Security Policy may be changed in the future by rough
consensus of the WebKit Security Group. Changes to the policy will be
posted publicly.</p>

<?php
    include("../footer.inc");
?>