From afaedbb2cb81810be055dde445aa6755a7c7853c Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Wed, 13 May 2020 10:26:06 -0400 Subject: [PATCH] docs: update to security process for low severity bugfixes (#11148) Risk Level: n/a Testing: n/a Docs Changes: yes Release Notes: no Signed-off-by: Alyssa Wilk --- SECURITY.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 98bf6bffb5c2..40ebecff3bce 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -72,18 +72,18 @@ severity. If a vulnerability does not affect any point release but only master, additional caveats apply: -* If the issue is detected and a fix is available within 5 days of the introduction of the - vulnerability, the fix will be publicly reviewed and landed on master. A courtesy e-mail will be - sent to envoy-users@googlegroups.com, envoy-dev@googlegroups.com, - envoy-security-announce@googlegroups.com and cncf-envoy-distributors-announce@lists.cncf.io if - the severity is medium or greater. -* If the vulnerability has been in existence for more than 5 days, we will activate the security - release process for any medium or higher vulnerabilities. Low severity vulnerabilities will still - be merged onto master as soon as a fix is available. - -We advise distributors and operators working from the master branch to allow at least 3 days soak +* If the issue is detected and a fix is available within 7 days of the introduction of the + vulnerability, or the issue is deemed a low severity vulnerability by the Envoy maintainer and + security teams, the fix will be publicly reviewed and landed on master. If the severity is at least + medium or at maintainer discretion a courtesy e-mail will be sent to envoy-users@googlegroups.com, + envoy-dev@googlegroups.com, envoy-security-announce@googlegroups.com and + cncf-envoy-distributors-announce@lists.cncf.io. +* If the vulnerability has been in existence for more than 7 days and is medium or higher, we will + activate the security release process. + +We advise distributors and operators working from the master branch to allow at least 5 days soak time after cutting a binary release before distribution or rollout, to allow time for our fuzzers to -detect issues during their execution on ClusterFuzz. A soak period of 5 days provides an even stronger +detect issues during their execution on ClusterFuzz. A soak period of 7 days provides an even stronger guarantee, since we will invoke the security release process for medium or higher severity issues for these older bugs.