Comments (15)
I think we should take a user-centric approach to this, where everyone on distributors-announce are our users. I'd like to put together a questionnaire to collect feedback from distributors on how they use the embargo announcements, with details like what the ideal embargo length would be, and what their severity threshholds are for handling vulnerabilities. My hope was that the security process working group could own this.
from committee-security-response.
+1 I think our timelines are too aggressive as well.
Context: When the document was originally written we were hoping to have tighter control over the release process; but in practice trying to have that level of control leads to an extremely high amount of effort and eventual burn out. So, we should document the reality.
from committee-security-response.
/cc @destijl
from committee-security-response.
I'd be happy to help out on getting the questionnaire out and working on this
from committee-security-response.
from committee-security-response.
@micahhausler If you want to take a stab at putting together a questionnaire, that would be great. Here are some questions we might want to ask:
- How satisfied are you with the way in which Kubernetes vulnerabilities have been handled?
- Do create custom k8s releases for embargoed vulnerabilities before the official release is cut? If so, how long does it typically take?
- Do you release custom patched k8s releases for embargoed vulnerabilities?
- How long does it typically take you to release a patch, from initial notification?
- What would your ideal embargo timeline be?
- Do you have a severity threshold for handling embargoed patches? What is the maximum severity you would tolerate for handling without embargo?
- Any other feedback for the PSC?
Edit - also:
- Which distributor are you responding for?
(in case it isn't obvious from the email address)
from committee-security-response.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from committee-security-response.
/remove-lifecycle stale
from committee-security-response.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from committee-security-response.
/remove-lifecycle stale
I think this is covered for medium/lows by @cji's policy update, but we should still revise the timelines for high/critical issues
from committee-security-response.
/assign @immutableT
from committee-security-response.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
from committee-security-response.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
from committee-security-response.
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
from committee-security-response.
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen
.
Mark the issue as fresh with/remove-lifecycle rotten
.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from committee-security-response.
Related Issues (20)
- Document incident command process for non-SRC members HOT 7
- Onboard Mo and Offboard Swamy HOT 1
- Create a SECURITY_CONTACTS file HOT 14
- Add H1Bot security key process to on/offboarding documentation HOT 3
- Create comms template for owner outreach within project HOT 2
- Document googlegroups triage flow
- Document guide to interpreting CVSS for Kubernetes HOT 6
- Consolidate OWNERS and SECURITY_CONTACTS HOT 7
- Onboard @SaranBalaji90 as associate HOT 6
- Distributors application for Cisco HOT 2
- Onboard @ritazh as associate HOT 2
- Onboard @PushkarJ as associate HOT 4
- Create comms template for out-of-scope security@ email reports HOT 2
- Add docs about use of CLI utility to request CVEs from new CVE API HOT 4
- Docs improvement: add check of CVE feed HOT 5
- Update / Create docs for onboarding fix-team members to HackerOne HOT 5
- Offboard @sfowl HOT 6
- Onboard @cji HOT 5
- private-distributors-list: add DaoCloud HOT 11
- Offboard @lukehinds HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from committee-security-response.