24 | | !GitHub pull requests can be used to ''preliminary'' review, or to gather feedback about the patch. |
25 | | |
26 | | = Handling security issues = |
27 | | |
28 | | The way OpenVPN project handles security issues was discussed and agreed upon in the IRC meeting on [http://thread.gmane.org/gmane.network.openvpn.devel/3841 15th July 2010]. The goal is to disclose security issues in 3 weeks - or less, if a fix is ready. If a fix is not ready in 3 weeks the issue should be disclosed nevertheless and provide workarounds (if any) to users and then fix the issue a.s.a.p. Also, ''all'' security issues - whether they're theoretical or being exploited - should be fixed. It was also agreed that our users should be informed about vulnerabilities in external software OpenVPN depends on (e.g. OpenSSL). This will be done after developers of the external software have already disclosed the vulnerability. |
| 24 | !GitHub pull requests can be used to ''preliminary'' review, but the final patch must go to the openvpn-devel list. |