Only vulnerabilities that affect packages in the CloudRouter repo are in scope for this process. Packages in the base Fedora repo are out of scope.
The CloudRouter security team is comprised of the following people:
The following artifacts are created as part of the security response process, and are referred to in the process documented below.
This is the canonical representation of a vulnerability that affects CloudRouter. It includes a variety of metadata that describes the flaw, its impact, and the component to which it applies. For an example, see: https://github.com/iixlabs/cloudrouter-security/blob/master/CRSA-2015-0001.yaml
cloudrouter-security issue
This is the top-level state tracker for resolution of a vulnerability. For an example, see:
State is tracked using labels. At any point in time, one (and only one) of the following labels should apply:
* pending_triage
* pending_upstream
* pending_patch
* pending_qe
* pending_release
* shipped
cloudrouter issue
This is a per-product-version issue to track the vulnerability. Developers should pin the commit that resolves a given vulnerability to this issue. For an example, see:
Actor: CloudRouter security team
Actions: create YAML file, cloudrouter-security issue and cloudrouter issue(s)
Actor: upstream developers
Actions: commit patch
Actor: CloudRouter security team
Actions: update cloudrouter-security issue state to pending_patch
Actor: CloudRouter developers
Actions: commit patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_qe
Actor: CloudRouter QE team
Actions: test patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_release
Actor: CloudRouter release engineering
Actions: ship updated RPM(s) and respun image(s)
Actor: CloudRouter security team
Actions: update cloudrouter-security issue state to shipped, close all issues, publish advisory based on YAML content, notify users list of advisory