Fixes #4357 -- document the additional release steps for a security release (#4429)

* Fixes #4357 -- document the additional release steps for a security release

* One additional step

* Fix a few typos

* this is a word

* link these

2 files changed, 17 insertions, 0 deletions

diff --git a/docs/doing-a-release.rst b/docs/doing-a-release.rst
index 45617985..f87a4499 100644
--- a/docs/doing-a-release.rst
+++ b/docs/doing-a-release.rst
@@ -3,6 +3,20 @@ Doing a release
 
 Doing a release of ``cryptography`` requires a few steps.
 
+Security Releases
+-----------------
+
+In addition to the other steps described below, for a release which fixes a
+security vulnerability, you should also include the following steps:
+
+* Request a `CVE from MITRE`_. Once you have received the CVE, it should be
+  included in the :doc:`changelog`. Ideally you should request the CVE before
+  starting the release process so that the CVE is available at the time of the
+  release.
+* Ensure that the :doc:`changelog` entry credits whoever reported the issue.
+* The release should be announced on the `oss-security`_ mailing list, in
+  addition to the regular announcement lists.
+
 Verifying OpenSSL version
 -------------------------
 
@@ -78,6 +92,8 @@ Post-release tasks
 * Send an email to the `mailing list`_ and `python-announce`_ announcing the
   release.
 
+.. _`CVE from MITRE`: https://cveform.mitre.org/
+.. _`oss-security`: http://www.openwall.com/lists/oss-security/
 .. _`upgrading OpenSSL issue template`: https://github.com/pyca/cryptography/issues/new?template=openssl-release.md
 .. _`milestone`: https://github.com/pyca/cryptography/milestones
 .. _`mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index 225ee3af..e8b9098f 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -10,6 +10,7 @@ boolean
 Botan
 Brainpool
 Capitan
+changelog
 Changelog
 ciphertext
 codebook