Skip to content

Commit

Permalink
docs: update to security process for low severity bugfixes (envoyprox…
Browse files Browse the repository at this point in the history 
…y#11148)

Risk Level: n/a
Testing: n/a
Docs Changes: yes
Release Notes: no

Signed-off-by: Alyssa Wilk <[email protected]>
  • Loading branch information
@alyssawilk
alyssawilk authored May 13, 2020
1 parent c07e5c8 commit afaedbb
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,18 +72,18 @@ severity.

If a vulnerability does not affect any point release but only master, additional caveats apply:

* If the issue is detected and a fix is available within 5 days of the introduction of the
vulnerability, the fix will be publicly reviewed and landed on master. A courtesy e-mail will be
sent to [email protected], [email protected],
[email protected] and cncf-envoy-[email protected] if
the severity is medium or greater.
* If the vulnerability has been in existence for more than 5 days, we will activate the security
release process for any medium or higher vulnerabilities. Low severity vulnerabilities will still
be merged onto master as soon as a fix is available.

We advise distributors and operators working from the master branch to allow at least 3 days soak
* If the issue is detected and a fix is available within 7 days of the introduction of the
vulnerability, or the issue is deemed a low severity vulnerability by the Envoy maintainer and
security teams, the fix will be publicly reviewed and landed on master. If the severity is at least
medium or at maintainer discretion a courtesy e-mail will be sent to envoy-[email protected],
[email protected], [email protected] and
[email protected].
* If the vulnerability has been in existence for more than 7 days and is medium or higher, we will
activate the security release process.

We advise distributors and operators working from the master branch to allow at least 5 days soak
time after cutting a binary release before distribution or rollout, to allow time for our fuzzers to
detect issues during their execution on ClusterFuzz. A soak period of 5 days provides an even stronger
detect issues during their execution on ClusterFuzz. A soak period of 7 days provides an even stronger
guarantee, since we will invoke the security release process for medium or higher severity issues
for these older bugs.

Expand Down

0 comments on commit afaedbb

Please sign in to comment.