security: blameless postmortem template.

security/postmortem-template.md

@@ -0,0 +1,75 @@
+> Slimmed down template from: Betsy Beyer, Chris Jones, Jennifer Petoff, and Niall Richard
+> Murphy. [“Site Reliability
+> Engineering.”](https://landing.google.com/sre/book/chapters/postmortem.html),
+> modified from
+> https://raw.githubusercontent.com/dastergon/postmortem-templates/master/templates/postmortem-template-srebook.md.
+
+> Follow the SRE link for examples of how to populate.
+
+> A PR should be opened with  postmortem placed in security/postmortems/cve-year-abcdef.md. If there
+> are multiple CVEs in the postmortem, populate each alias with the string "See cve-year-abcdef.md".
+
+# Security postmortem for CVE-YEAR-ABCDEF, CVE-YEAR-ABCDEG
+
+## Incident date(s)
+
+> YYYY-MM-DD (as a date range if over a period of time)
+
+## Authors
+
+> @foo, @bar, ...
+
+## Status
+
+> Draft | Final
+
+## Summary
+
+> A few sentence summary.
+
+## CVE issue(s)
+
+> https://github.com/envoyproxy/envoy/issues/${CVE_ISSUED_ID}
+
+## Root Causes
+
+> What defect in Envoy led to the CVEs? How did this defect arise?
+
+## Resolution
+
+> How was the security release process followed? How were the fix patches
+> structured and authored?
+
+## Detection
+
+> How was this discovered? Reported by XYZ, found by fuzzing? Private or public
+> disclosure?
+
+## Action Items
+
+> Create action item issues and include in their body "Action item for
+> CVE-YEAR-ABCDEF". Modify the search string below to include in the PR:
+
+https://github.com/envoyproxy/envoy/issues?utf8=%E2%9C%93&q=is%3Aissue+%22Action+item+for+CVE-YEAR-ABCDEF%22
+
+## Lessons Learned
+
+### What went well
+
+### What went wrong
+
+### Where we got lucky
+
+## Timeline
+
+All times US/Pacific
+
+YYYY-MM-DD
+* HH:MM Cake was made available
+* HH:MM People ate the cake
+
+YYYY-MM-DD
+* HH:MM More cake was available
+* HH:MM People ate more cake
+
+## Supporting information