Security Response Process
Scope
Only vulnerabilities that affect packages in the CloudRouter repo are in scope for this process. Packages in the base Fedora repo are out of scope.
Security Team
The CloudRouter security team is comprised of the following people:
- David Jorm
- Brendan Scarvell
- Arun Neelicattu
Artifacts
The following artifacts are created as part of the security response process, and are referred to in the process documented below.
YAML advisory
This is the canonical representation of a vulnerability that affects CloudRouter. It includes a variety of metadata that describes the flaw, its impact, and the component to which it applies. For an example, see: https://github.com/iixlabs/cloudrouter-security/blob/master/CRSA-2015-0001.yaml
cloudrouter-security issue
This is the top-level state tracker for resolution of a vulnerability. For an example, see:
- SEC-1Getting issue details... STATUS
State is tracked using labels. At any point in time, one (and only one) of the following labels should apply:
* pending_triage
* pending_upstream
* pending_patch
* pending_qe
* pending_release
* shipped
cloudrouter issue
This is a per-product-version issue to track the vulnerability. Developers should pin the commit that resolves a given vulnerability to this issue. For an example, see:
- CR-7Getting issue details... STATUS
Process
Triage
Actor: CloudRouter security team
Actions: create YAML file, cloudrouter-security issue and cloudrouter issue(s)
Upstream patch
Actor: upstream developers
Actions: commit patch
Actor: CloudRouter security team
Actions: update cloudrouter-security issue state to pending_patch
Downstream patch
Actor: CloudRouter developers
Actions: commit patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_qe
QE
Actor: CloudRouter QE team
Actions: test patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_release
Ship patch
Actor: CloudRouter release engineering
Actions: ship updated RPM(s) and respun image(s)
Actor: CloudRouter security team
Actions: update cloudrouter-security issue state to shipped, close all issues, publish advisory based on YAML content, notify users list of advisory