Important Change to KDE’s Security Policy

KDE’s Security Policy has had a small update. The change is as follows:

  • Information about security vulnerabilities will no longer be published via the Dot at http://dot.kde.org.

This change was made to reflect actual practices. Although the security policy has stated that security information would be published via the Dot, a review has shown that this has rarely occurred due to confusion as to whether the Dot is the appropriate venue for this information. This can mislead users into believing that following the Dot provides them with pertinent security information.

Most users obtain KDE via distributions, which receive advance notification of security information via the private KDE Packagers mailing list. For those that compile from source, or who are simply interested in knowing about security vulnerabilities in KDE software, this information is already disseminated via two public venues: the kde-announce mailing list and the BugTraq full disclosure list.

As always, we ask users with information about possible security vulnerabilities to responsibly disclose this information to the security team at security@kde.org, so that patches can be readied before public disclosure.

Comments are closed.