Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write Runbooks for Addressing CVEs #554

Open
noelmiller opened this issue Apr 10, 2024 · 1 comment
Open

Write Runbooks for Addressing CVEs #554

noelmiller opened this issue Apr 10, 2024 · 1 comment
Labels
stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed

Comments

@noelmiller
Copy link
Member

noelmiller commented Apr 10, 2024
edited by bsherman
Loading

When dealing with #553, I noticed we did not have a defined plan for dealing with CVEs. I think it would be valuable to have a runbook on how to address CVEs.

I think we should also include information in the contributing guide about how to responsibly disclose CVEs to the team.

Rough information that should go in the runbook: (thanks @bsherman)

  1. create a "war room" thread in #ublue-dev
  2. pause all dev work (PR merges, extraneous Github builds) until CVE is handled or agreed to allow parallel efforts
  3. coordinate to write our own announcement
  4. test images/builds as needed
@dosubot dosubot bot added the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Jul 10, 2024
@dosubot dosubot bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 17, 2024
@dosubot dosubot bot removed the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Jul 17, 2024
@m2Giles m2Giles reopened this Jul 17, 2024
@dosubot DosuBot
Copy link

dosubot bot commented Nov 15, 2024

Hi, @noelmiller. I'm Dosu, and I'm helping the Main Repos team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • The issue highlights the need for a runbook to manage CVEs due to the lack of a structured approach.
  • Suggested actions include creating a "war room" thread, pausing development, coordinating announcements, and conducting build tests.
  • It also proposes adding CVE disclosure guidelines to the contributing guide.
  • There have been no comments or further activity on this issue.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of the Main Repos repository by commenting here to keep the discussion open.
  • If there is no further input, the issue will be automatically closed in 14 days.

Thank you for your understanding and contribution!

@dosubot dosubot bot added the stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed label Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale Issue has not had recent activity or appears to be solved. Stale issues will be automatically closed
Projects
Project Goals
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noelmiller @m2Giles