From 20c32d2db78168249f47cc781ed25f999ef13a52 Mon Sep 17 00:00:00 2001 From: htuch Date: Fri, 24 Jul 2020 14:18:12 -0400 Subject: [PATCH] security: some GREYFOX inspired policy fine tunings. (#12276) We heard back from Istio that release adjacency to EOQ wasn't great, and from other internal teams that more details on the CVEs in the distributor mailout would be helpful. Signed-off-by: Harvey Tuch --- SECURITY.md | 3 +++ security/email-templates.md | 1 + 2 files changed, 4 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a195ce706bc7..3483408e7ea8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -124,6 +124,9 @@ to perform a release within this time window. If there are exceptional circumsta security team will raise this window to four weeks. The release window will be reduced if the security issue is public or embargo is broken. +We will endeavor not to overlap this three week window with or place it adjacent to major corporate +holiday periods or end-of-quarter (e.g. impacting downstream Istio releases), where possible. + ### Fix and disclosure SLOs * All reports to envoy-security@googlegroups.com will be triaged and have an diff --git a/security/email-templates.md b/security/email-templates.md index e58dfdc91747..ffd0232c7798 100644 --- a/security/email-templates.md +++ b/security/email-templates.md @@ -50,6 +50,7 @@ Envoy maintainers on the Envoy GitHub. We will address the following CVE(s): * CVE-YEAR-ABCDEF (CVSS score $CVSS, $SEVERITY): $CVESUMMARY + - Link to the appropriate section of the CVE writeup document with gh-cve-template.md content. ... We intend to make candidates release patches available under embargo on the