* | Disclosure/notification of embargoed security vulnerabilities | Team | What types of notifications are required? Prior notice to system operators giving advanced notice that a critical vulnerability has been identified and a fix is being worked on. It's advised that the issue is patched ASAP once the release has been made available (with some expected release date). No details of the vulnerability should be included in this notification!
A notice to system operators stating that a release is available and should be applied ASAP Includes information about the release and the associated risk, but not the vulnerability or how to exploit it
To be continued due to lack of time.
Who gets the initial notice #1 above? SysOps SIG mailing list? #SysOps slack channel?
TODO: @Craig McNally will check in with Oleksii P. to see if we can nail down a date for release @Craig McNally (or whoever gets to it first) to pull together a rough draft of the message w/ placeholder for release availablility.
|