diff --git a/project-security/security.md b/project-security/security.md index c5b9d0b0..14c3d313 100644 --- a/project-security/security.md +++ b/project-security/security.md @@ -32,13 +32,15 @@ important project security pages: ## Reporting Security Issues in Qubes OS If you believe you have found a security issue affecting Qubes OS, either -directly or indirectly (e.g. the issue affects Xen in a configuration that is -used in Qubes OS), then we would be more than happy to hear from you! We -promise to treat any reported issue seriously and, if the investigation -confirms that it affects Qubes, to patch it within a reasonable time and -release a public [Qubes Security Bulletin](/security/qsb/) that describes -the issue, discusses the potential impact of the vulnerability, references -applicable patches or workarounds, and credits the discoverer. +directly or indirectly (e.g., the issue affects Xen in a configuration that is +used in Qubes OS), then we would be more than happy to hear from you! Please +send a [PGP-encrypted](#security-team-pgp-key) email to the [Qubes Security +Team](#qubes-security-team). We promise to take all reported issues seriously. +If our investigation confirms that an issue affects Qubes, we will patch it +within a reasonable time and release a public [Qubes Security Bulletin +(QSB)](/security/qsb/) that describes the issue, discusses the potential impact +of the vulnerability, references applicable patches or workarounds, and credits +the discoverer. ## Security Updates @@ -47,19 +49,20 @@ OS](/doc/how-to-update/). ## Qubes Security Team -The Qubes Security Team (QST) is the subset of the [Qubes Team](/team/) that is -responsible for ensuring the security of Qubes OS and the Qubes OS Project. In -particular, the QST is responsible for: +The **Qubes Security Team (QST)** is the subset of the [Core Qubes +Team](/team/#core) that is responsible for ensuring the security of Qubes OS +and the Qubes OS Project. In particular, the QST is responsible for: - Responding to [reported security issues](#reporting-security-issues-in-qubes-os) - Evaluating whether [XSAs](/security/xsa/) affect the security of Qubes OS - Writing, applying, and/or distributing security patches to fix vulnerabilities in Qubes OS -- Writing, signing, and publishing [Security Bulletins](/security/qsb/) -- Writing, signing, and publishing [Canaries](/security/canary/) +- Writing, signing, and publishing [Qubes Security Bulletins + (QSBs)](/security/qsb/) +- Writing, signing, and publishing [Qubes Canaries](/security/canary/) - Generating, safeguarding, and using the project's [PGP - Keys](https://keys.qubes-os.org/keys/) + keys](https://keys.qubes-os.org/keys/) As a security-oriented operating system, the QST is fundamentally important to Qubes, and every Qubes user implicitly trusts the members of the QST by virtue @@ -76,8 +79,8 @@ Please use the [Security Team PGP Key](https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc) to encrypt all emails sent to this address. This key is signed by the [Qubes Master Signing Key](https://keys.qubes-os.org/keys/qubes-master-signing-key.asc). -Please see [Why and How to Verify Signatures](/security/verifying-signatures/) -for information about how to verify these keys. +Please see [Verify Signatures](/security/verifying-signatures/) for information +about how to authenticate these keys. ### Members of the Security Team