| * | Disclosure/notification of embargoed security vulnerabilities | Team | What types of notifications are required? - Prior notice to system operators giving advanced notice that a critical vulnerability has been identified and a fix is being worked on. It's advised that the issue is patched ASAP once the release has been made available (with some expected release date).
- No details of the vulnerability should be included in this notification!
- A notice to system operators stating that a release is available and should be applied ASAP
- Includes information about the release and the associated risk, but not the vulnerability or how to exploit it
- To be continued due to lack of time.
Who gets the initial notice #1 above? - SysOps SIG mailing list?
- OLF members?
- #SysOps slack channel?
|