Skip to content

Latest commit

 

History

History
30 lines (18 loc) · 1.5 KB

runbook.md

File metadata and controls

30 lines (18 loc) · 1.5 KB
Raw

Runbook

Read more details about each step in the Response process section of the full guide.

  1. Intake

    • The VMT receives an email or security issue detailing the issue, steps taken to create it, versions, and known mitigations.
    • The VMT replies acknowledging issue receipt.

  2. Assessment

    • The VMT decides if the issue is working-as-intended, a bug, a feature request, or a security issue.
    • The VMT responds to the reporter with their assessment.
    • If it is a vulnerability and the project is using GitHub for coordination, the VMT opens a Security Advisory and adds the reporter as a collaborator.

  3. Patching

    • The VMT (and if applicable the reporter and other necessary project maintainers) develop and test a patch on a private branch. The patch is prepared for release.

  4. CVE assignment

    • The VMT uses a CNA to request a CVE entry and credits the reporter according to the reporter’s preference.

  5. (If applicable) Embargoed notification

    • Embargoed notification with CVE number, issue description, reporter credit, affected versions, mitigation, and timeline for public disclosure.

  6. Public disclosure

    • Vulnerability publicly disclosed. Lists CVE number, issue description, reporter credit, affected versions, and mitigation.
    • Private branches for patch development are made public.