security: templates for e-mails and CVE GH filing.

[htuch]

These capture some of our existing patterns in CVE related e-mail announcements, as well as some
future planned e-mails and GH filing. They are based on OpenSSL security release announcement and
https://github.com/kubernetes/security/blob/master/email-templates.md#security-fix-announcement.

Signed-off-by: Harvey Tuch htuch@google.com

[htuch]

@duderino @destijl @liggitt would be great to get your thoughts on this. We'd like to have good alignment with k8s and Istio when it comes to messaging formats and details on security issues.

[mattklein123]

Thanks this is super awesome. A few comments from me. Agreed would love to hear from folks more experienced in this process for further comments.

[mattklein123]

LGTM, thank's so much. Definitely would love to hear from others but we can always ship and iterate if that is easier.

[liggitt]

looks good as a starting point, I'm sure you'll find things you want to tweak.

One thing we've found is that it's helpful to keep emails succinct and link to things that can be edited/updated to incorporate more details post-disclosure. That's especially true for intricate commands or mitigation steps.

[destijl]

Yep, these look good. Posts to public mailing lists that have stable identifiers are very useful for your distributors, e.g. GKE has a security bulletins page that references K8s announcements via the groups.google.com URL, see https://cloud.google.com/kubernetes-engine/docs/security-bulletins#march-01-2019. Another option, but more work, would be to stand up a similar security bulletins page for Envoy itself (we haven't done this for K8s, yet).

[htuch]

@liggitt @destijl Ack. Our public lists are on googlegroups.com and we also have GH issue URLs as stable IDs. I'm going to merge this and we can continue to iterate as we prepare out current CVE comms.