Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-27 16:24:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update SECURITY-RELEASE-PROCESS.md (#2237)

Browse Source 
Automatically submitted.
This commit is contained in:
Francois Tur
2018-10-25 02:39:43 -04:00
committed by corbot[bot]
parent 204537b324
commit b0a89452ef
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
SECURITY-RELEASE-PROCESS.md
View File

@@ -16,7 +16,7 @@ The initial Product Security Team will consist of the set of maintainers that vo
### mailing lists ### mailing lists
* security@coredns.io : for any security concerns. Received by Product Security Team members, and used by this Team to discuss security issues and fixes. * security@coredns.io : for any security concerns. Received by Product Security Team members, and used by this Team to discuss security issues and fixes.
* coredns-distributors-announce@googlegroup.com: for early private information on Security patch releases. see below how CoreDNS distributors can apply for this list. * coredns-distributors-announce@lists.cncf.io: for early private information on Security patch releases. see below how CoreDNS distributors can apply for this list.
## Disclosures ## Disclosures
@@ -106,7 +106,7 @@ They should know when to block time to apply patches, understand exact mitigatio
- The Fix Lead will make a determination with the help of the Fix Team if an issue is critical enough to require early disclosure to distributors. - The Fix Lead will make a determination with the help of the Fix Team if an issue is critical enough to require early disclosure to distributors.
Generally this Private Distributor Disclosure process should be reserved for remotely exploitable or privilege escalation issues. Generally this Private Distributor Disclosure process should be reserved for remotely exploitable or privilege escalation issues.
Otherwise, this process can be skipped. Otherwise, this process can be skipped.
- The Fix Lead will email the patches to coredns-distributors-announce@googlegroup.com so distributors can prepare their own release to be available to users on the day of the issue's announcement. - The Fix Lead will email the patches to coredns-distributors-announce@lists.cncf.io so distributors can prepare their own release to be available to users on the day of the issue's announcement.
Distributors should read about the [Private Distributor List](#private-distributor-list) to find out the requirements for being added to this list. Distributors should read about the [Private Distributor List](#private-distributor-list) to find out the requirements for being added to this list.
- **What if a distributor breaks embargo?** The PST will assess the damage and may make the call to release earlier or continue with the plan. - **What if a distributor breaks embargo?** The PST will assess the damage and may make the call to release earlier or continue with the plan.
When in doubt push forward and go public ASAP. When in doubt push forward and go public ASAP.
@@ -131,7 +131,7 @@ individuals to find out about security issues.
### Embargo Policy ### Embargo Policy
The information members receive on coredns-distributors-announce@googlegroup.com must not be The information members receive on coredns-distributors-announce@lists.cncf.io must not be
made public, shared, nor even hinted at anywhere beyond the need-to-know within made public, shared, nor even hinted at anywhere beyond the need-to-know within
your specific team except with the list's explicit approval. your specific team except with the list's explicit approval.
This holds true until the public disclosure date/time that was agreed upon by the list. This holds true until the public disclosure date/time that was agreed upon by the list.
@@ -168,7 +168,7 @@ could be in the form of the following:
### Membership Criteria ### Membership Criteria
To be eligible for the coredns-distributors-announce@googlegroup.com mailing list, your To be eligible for the coredns-distributors-announce@lists.cncf.io mailing list, your
distribution should: distribution should:
1. Be an active distributor of CoreDNS component. 1. Be an active distributor of CoreDNS component.
@@ -186,4 +186,4 @@ distribution should:
New membership requests are sent to security@coredns.io. New membership requests are sent to security@coredns.io.
In the body of your request please specify how you qualify and fulfill each In the body of your request please specify how you qualify and fulfill each
criterion listed in [Membership Criteria](#membership-criteria). criterion listed in [Membership Criteria](#membership-criteria).