diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc --- a/documentation/content/en/books/porters-handbook/security/_index.adoc +++ b/documentation/content/en/books/porters-handbook/security/_index.adoc @@ -82,7 +82,7 @@ [IMPORTANT] ==== Being a ports committer is not enough to commit to an arbitrary port. -Remember that ports usually have maintainers, must be respected. +Remember that ports usually have maintainers, who must be respected. ==== Please make sure that the port's revision is bumped as soon as the vulnerability has been closed. @@ -99,18 +99,19 @@ === The VuXML Database A very important and urgent step to take as early after a security vulnerability is discovered as possible is to notify the community of port users about the jeopardy. -Such notification serves two purposes. +Such a notification serves two purposes. First, if the danger is really severe it will be wise to apply an instant workaround. For example, stop the affected network service or even deinstall the port completely until the vulnerability is closed. Second, a lot of users tend to upgrade installed packages only occasionally. They will know from the notification that they _must_ update the package without delay as soon as a corrected version is available. Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. -Therefore security vulnerabilities found in ports are recorded in https://vuxml.freebsd.org/[the FreeBSD VuXML database]. -The Security Officer Team members also monitor it for issues requiring their intervention. +Therefore security vulnerabilities found in ports are recorded in https://vuxml.freebsd.org/[the FreeBSD VuXML database], which Security Team members also monitor for issues requiring their intervention. -Committers can update the VuXML database themselves, assisting the Security Officer Team and delivering crucial information to the community more quickly. -Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the https://www.freebsd.org/security/#how[FreeBSD Security Information] page. +Committers can update the VuXML database themselves, assisting the Security Team and delivering crucial information to the community more quickly. +Port maintainers can create VuXML entries for their vulnerable ports and file bugs requesting security/vuxml updates. +Those who are not committers or have discovered an exceptionally severe vulnerability should not hesitate to contact the link:https://www.freebsd.org/administration.html#t-ports-secteam[FreeBSD Ports Security Team] first. +If needed, also contact the link:https://www.freebsd.org/administration.html#t-secteam[FreeBSD Security Team] as described on the link:https://www.freebsd.org/security/#reporting[FreeBSD Security Information] page. The VuXML database is an XML document. Its source file [.filename]#vuln.xml# is kept right inside the port package:security/vuxml[].