Skip to content

Commit

Permalink
Merge pull request #84 from vincentgoat/announce-email-template
Browse files Browse the repository at this point in the history 
add vulnerability announcement email template
  • Loading branch information
@kubeedge-bot
kubeedge-bot authored Jun 28, 2022
2 parents c6346c0 + 3c0a638 commit f8b184a
Show file tree
Hide file tree
Showing 5 changed files with 112 additions and 6 deletions.
8 changes: 5 additions & 3 deletions .github/ISSUE_TEMPLATE/distributors-application.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ title: Distributors Application for <YOUR DISTRIBUTION HERE>
about: Apply for membership of [email protected]
---

## **Please answer the following questions and provide supporting evidence for meeting the [membership criteria](https://github.com/kubeedge/community/blob/master/sig-security/private-distributors-list.md).**
_See [Private distributors list](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#request-to-join) for additional places the request could be posted._

## **Please answer the following questions and provide supporting evidence for meeting the [membership criteria](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#membership-criteria).**

### 1. **Actively monitored security email alias for our project:**

Expand All @@ -21,10 +23,10 @@ about: Apply for membership of [email protected]
### 5. **Be a participant and active contributor in the community.**


### 6. **Accept the [Embargo Policy](https://github.com/kubeedge/community/blob/master/sig-security/private-distributors-list.md#embargo-policy).**
### 6. **Accept the [Embargo Policy](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#embargo-policy).**


### 7. **Be willing to [contribute back](https://github.com/kubeedge/community/blob/master/sig-security/private-distributors-list.md#contributing-back).**
### 7. **Be willing to [contribute back](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#contributing-back).**


### 8. **Have someone already on the list vouch for the person requesting membership on behalf of your distribution.**
Expand Down
4 changes: 2 additions & 2 deletions security-team/comms-templates/distributors-announcement-email.md
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
_Use this email template for pre-disclosing security vulnerabilities to distributors-announce._

TO: `distributors announce`
TO: `cncf-kubeedge-distrib-announce@lists.cncf.io`

SUBJECT: `[EMBARGOED] $CVE: $SUMMARY`

---

### EMBARGOED

The information contained in this email is **[under embargo](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#embargo-Policy)** until the scheduled public disclosure on **$DATE, at 9AM PT**.
The information contained in this email is **[under embargo](../private-distributors-list.md#embargo-Policy)** until the scheduled public disclosure on **$DATE, at 9AM PT**.

_Additional details on the embargo conditions._
- _If a patch is provided, can it be deployed?_
Expand Down
35 changes: 35 additions & 0 deletions security-team/comms-templates/join-announcement-email-list.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
_Use this email template for applying for membership of [email protected]._

TO: `[email protected]`

SUBJECT: `Distributors Application`

_See [Private distributors list](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#request-to-join) for additional places the request could be posted._

---

## **Please answer the following questions and provide supporting evidence for meeting the [membership criteria](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#membership-criteria).**

### 1. **Actively monitored security email alias for our project:**


### 2. **Have a user base not limited to your own organization.**


### 3. **Have a publicly verifiable track record up to present day of fixing security issues.**


### 4. **Not be a downstream or rebuild of another distribution.**


### 5. **Be a participant and active contributor in the community.**


### 6. **Accept the [Embargo Policy](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#embargo-policy).**


### 7. **Be willing to [contribute back](https://github.com/kubeedge/community/blob/master/security-team/private-distributors-list.md#contributing-back).**


### 8. **Have someone already on the list vouch for the person requesting membership on behalf of your distribution.**

69 changes: 69 additions & 0 deletions security-team/comms-templates/vulnerability-announcement-email.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
_Use this email template for publicly disclosing security vulnerabilities._

_The email should be **concise** and **actionable**. Assume the audience are not
KubeEdge developers. Non-actionable information (e.g. technical discussion of
the vulnerability) should be deferred to the [vulnerability
issue](vulnerability-announcement-issue.md)._

TO: `[email protected], [email protected]`

SUBJECT: `[Security Advisory] $CVE: $SUMMARY`

_See [Fix disclosure process](../security-release-process.md#fix-disclosure-process) for additional places the announcement should be posted._

---

Hello KubeEdge Community,

A security issue was discovered in KubeEdge where $ACTOR may be able to $DO_SOMETHING.

This issue has been rated **$SEVERITY** (link to CVSS calculator https://www.first.org/cvss/calculator/3.1) (optional: $SCORE), and assigned **$CVE_NUMBER**

### Am I vulnerable?

_How to determine if a cluster is impacted. Include:_
- _Vulnerable configuration details_
- _Commands that indicate whether a component, version or configuration is used_

#### Affected Versions

- $COMPONENT $VERSION_RANGE_1
- $COMPONENT $VERSION_RANGE_2 ...
- ...

### How do I mitigate this vulnerability?

_(If additional steps required after upgrade)_
**ACTION REQUIRED:** The following steps must be taken to mitigate this vulnerability: ...

_(If possible):_ Prior to upgrading, this vulnerability can be mitigated by ...

#### Fixed Versions

- $COMPONENT $VERSION
- $COMPONENT $VERSION
- ...

_(If fix has side effects)_ **Fix impact:** details of impact.

To upgrade, refer to the documentation: ... ($COMPONENT upgrade documentation)

### Detection

_How can exploitation of this vulnerability be detected?_

If you find evidence that this vulnerability has been exploited, please contact [email protected]

#### Additional Details

See the GitHub advisory for more details: $GITHUBADVISORY

#### Acknowledgements

This vulnerability was reported by $REPORTER.

_(optional):_ The issue was fixed and coordinated by $FIXTEAM and $RELEASE_MANAGERS.

Thank You,

$PERSON on behalf of the KubeEdge Security Team
2 changes: 1 addition & 1 deletion security-team/private-distributors-list.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,4 @@ To be eligible for the [[email protected]](mailto:cnc

### Request to Join

File an issue [here](https://github.com/kubeedge/community/issues/new?template=distributors-application.md), filling in the criteria template.
File an issue [here](https://github.com/kubeedge/community/issues/new?template=distributors-application.md), or send an [email](comms-templates/join-announcement-email-list.md), filling in the criteria template.

0 comments on commit f8b184a

Please sign in to comment.