Skip to content

Commit

Permalink
security: some GREYFOX inspired policy fine tunings. (envoyproxy#12276)
Browse files Browse the repository at this point in the history
We heard back from Istio that release adjacency to EOQ wasn't great, and from other internal teams
that more details on the CVEs in the distributor mailout would be helpful.

Signed-off-by: Harvey Tuch <[email protected]>
  • Loading branch information
htuch authored Jul 24, 2020
1 parent 08464ec commit 20c32d2
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
3 changes: 3 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,9 @@ to perform a release within this time window. If there are exceptional circumsta
security team will raise this window to four weeks. The release window will be reduced if the
security issue is public or embargo is broken.

We will endeavor not to overlap this three week window with or place it adjacent to major corporate
holiday periods or end-of-quarter (e.g. impacting downstream Istio releases), where possible.

### Fix and disclosure SLOs

* All reports to [email protected] will be triaged and have an
Expand Down
1 change: 1 addition & 0 deletions security/email-templates.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ Envoy maintainers on the Envoy GitHub.
We will address the following CVE(s):
* CVE-YEAR-ABCDEF (CVSS score $CVSS, $SEVERITY): $CVESUMMARY
- Link to the appropriate section of the CVE writeup document with gh-cve-template.md content.
...
We intend to make candidates release patches available under embargo on the
Expand Down

0 comments on commit 20c32d2

Please sign in to comment.