-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: templates for e-mails and CVE GH filing. #6442
Conversation
These capture some of our existing patterns in CVE related e-mail announcements, as well as some future planned e-mails and GH filing. They are based on OpenSSL security release announcement and https://github.com/kubernetes/security/blob/master/email-templates.md#security-fix-announcement. Signed-off-by: Harvey Tuch <htuch@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks this is super awesome. A few comments from me. Agreed would love to hear from folks more experienced in this process for further comments.
Signed-off-by: Harvey Tuch <htuch@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank's so much. Definitely would love to hear from others but we can always ship and iterate if that is easier.
looks good as a starting point, I'm sure you'll find things you want to tweak. One thing we've found is that it's helpful to keep emails succinct and link to things that can be edited/updated to incorporate more details post-disclosure. That's especially true for intricate commands or mitigation steps. |
Yep, these look good. Posts to public mailing lists that have stable identifiers are very useful for your distributors, e.g. GKE has a security bulletins page that references K8s announcements via the groups.google.com URL, see https://cloud.google.com/kubernetes-engine/docs/security-bulletins#march-01-2019. Another option, but more work, would be to stand up a similar security bulletins page for Envoy itself (we haven't done this for K8s, yet). |
These capture some of our existing patterns in CVE related e-mail announcements, as well as some
future planned e-mails and GH filing. They are based on OpenSSL security release announcement and
https://github.com/kubernetes/security/blob/master/email-templates.md#security-fix-announcement.
Signed-off-by: Harvey Tuch htuch@google.com