Skip to content

Latest commit

 

History

History
24 lines (18 loc) · 1.48 KB

runbook.md

File metadata and controls

24 lines (18 loc) · 1.48 KB

Runbook

Read more details about each step in the Response process section of the full guide.

  1. Intake

    • The VMT receives an email or security issue detailing the issue, steps taken to create it, versions, and known mitigations.
    • The VMT replies acknowledging issue receipt.
  2. Assessment

    • The VMT decides if the issue is working-as-intended, a bug, a feature request, or a security issue.
    • The VMT responds to the reporter with their assessment.
    • If it is a vulnerability and the project is using GitHub for coordination, the VMT opens a Security Advisory and adds the reporter as a collaborator.
  3. Patching

    • The VMT (and if applicable the reporter and other necessary project maintainers) develop and test a patch on a private branch. The patch is prepared for release.
  4. CVE assignment

    • The VMT uses a CNA to request a CVE entry and credits the reporter according to the reporter’s preference.
  5. (If applicable) Embargoed notification

    • Embargoed notification with CVE number, issue description, reporter credit, affected versions, mitigation, and timeline for public disclosure.
  6. Public disclosure

    • Vulnerability publicly disclosed. Lists CVE number, issue description, reporter credit, affected versions, and mitigation.
    • Private branches for patch development are made public.