kubernetes/committee-security-response

More consistent security-announcements

tallclair opened this issue · 5 comments

We haven't historically posted a security announcement for every vulnerability. We should establish a more well defined policy for when an announcement is sent.

Possible policies include:

  1. Announcement for every CVE
  2. Announcement for every CVE with a severity over X

Another possibility is to migrate off of the current announcement flow, to something like a vulnerability dashboard that we've previously discussed (can't find the issue?).

Also: What is the scope for security announcements? E.g. do we only announce vulnerabilities in core Kubernetes? Or anything owned by the Kubernetes org?

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

/remove-lifecycle stale