What types of notifications are required?
- Prior notice to system operators giving advanced notice that a critical vulnerability has been identified and a fix is being worked on. It's advised that the issue is patched ASAP once the release has been made available (with some expected release date).
- No details of the vulnerability should be included in this notification!
- A notice to system operators stating that a release is available and should be applied ASAP
- Includes information about the release and the associated risk, but not the vulnerability or how to exploit it
- To be continued due to lack of time.
Who gets the initial notice #1 above?
- SysOps SIG mailing list?
- #SysOps slack channel?
TODO:
- Craig McNally will check in with Oleksii P. to see if we can nail down a date for release
- Craig McNally (or whoever gets to it first) to pull together a rough draft of the message w/ placeholder for release availablility.