Security Response Process

Scope

Only vulnerabilities that affect packages in the CloudRouter repo are in scope for this process. Packages in the base Fedora repo are out of scope.

Security Team

The CloudRouter security team is comprised of the following people:

  • David Jorm
  • Brendan Scarvell
  • Arun Neelicattu

Artifacts

The following artifacts are created as part of the security response process, and are referred to in the process documented below.

YAML advisory

This is the canonical representation of a vulnerability that affects CloudRouter. It includes a variety of metadata that describes the flaw, its impact, and the component to which it applies. For an example, see: https://github.com/iixlabs/cloudrouter-security/blob/master/CRSA-2015-0001.yaml

cloudrouter-security issue

This is the top-level state tracker for resolution of a vulnerability. For an example, see:

SEC-1 - Getting issue details... STATUS

State is tracked using labels. At any point in time, one (and only one) of the following labels should apply:

* pending_triage
* pending_upstream
* pending_patch
* pending_qe
* pending_release
* shipped

cloudrouter issue

This is a per-product-version issue to track the vulnerability. Developers should pin the commit that resolves a given vulnerability to this issue. For an example, see:

CR-7 - Getting issue details... STATUS

Process

Triage

Actor: CloudRouter security team

Actions: create YAML file, cloudrouter-security issue and cloudrouter issue(s)

Upstream patch

Actor: upstream developers

Actions: commit patch


Actor: CloudRouter security team

Actions: update cloudrouter-security issue state to pending_patch

Downstream patch

Actor: CloudRouter developers

Actions: commit patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_qe

QE

Actor: CloudRouter QE team

Actions: test patch, update cloudrouter issue(s), update cloudrouter-security issue state to pending_release

Ship patch

Actor: CloudRouter release engineering

Actions: ship updated RPM(s) and respun image(s)


Actor: CloudRouter security team

Actions: update cloudrouter-security issue state to shipped, close all issues, publish advisory based on YAML content, notify users list of advisory