dns/bind9
dns/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-04-18 09:44:09 +03:00
Code
bind9/.gitlab/issue_templates/Internal_use_only-CVE.md
Michał Kępień da23a0c4e1 Update CVE checklist
2025-02-11 17:34:52 +01:00

15 KiB
Raw Permalink Blame History

Quick Links 🔗
Incident Manager: @user
Deputy Incident Manager: @user
Public Disclosure Date: YYYY-MM-DD
CVSS Score: 0.0
CWE: CWE-NNN
Security Advisory: isc-private/printing-press!NNN
Mattermost Channel: [CVE-YYYY-NNNN][mattermost_url]
Support Ticket: [URL]
Release Checklist: #NNNN

[mattermost_url]:

💡 Click here (internal resource) for general information about the security incident handling process.

Earlier Than T-5

  • 🔗 (IM) Pick a Deputy Incident Manager
  • 🔗 (IM) Respond to the bug reporter
  • 🔗 (SwEng) Ensure there are no public merge requests which inadvertently disclose the issue
  • 🔗 (SwEng) Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary)
  • 🔗 (IM) Assign a CVE identifier
  • 🔗 (SwEng) Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category
  • 🔗 (SwEng) Determine the range of product versions affected (including the Subscription Edition)
  • 🔗 (SwEng) Determine whether workarounds for the problem exist
  • 🔗 (Support) Prepare "earliest" notification text
  • 🔗 (Support) Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers
  • 🔗 (Support) Create a merge request for the Security Advisory and include all readily available information in it
  • 🔗 (SwEng) Prepare a private merge request containing a system test reproducing the problem
  • 🔗 (SwEng) Notify Support when a reproducer is ready
  • 🔗 (SwEng) Prepare a detailed explanation of the code flow triggering the problem
  • 🔗 (SwEng) Prepare a private merge request with the fix
  • 🔗 (SwEng) Ensure the merge request with the fix is reviewed and has no outstanding discussions
  • 🔗 (Support) Review the documentation changes introduced by the merge request with the fix
  • 🔗 (SwEng) Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
  • 🔗 (Support) Finish preparing the Security Advisory
  • 🔗 (QA) Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
  • 🔗 (SwEng) Make sure other vendors are able to release on the date that was previously agreed upon
  • 🔗 (QA) Merge the CVE fixes in CVE identifier order
  • 🔗 (QA) Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
  • 🔗 (QA) Prepare ASN releases (as outlined in the Release Checklist)

At T-5

  • 🔗 (Marketing) (BIND 9 only) Update the BIND -S information document in the support portal with download links to the new versions
  • 🔗 (Support) Notify eligible customers by adding a ticket to the 5 Day queue in RT with the text of the advisory (earliest, and T-5)
  • 🔗 (Marketing) (BIND 9 only) Send a pre-announcement email to the bind-announce mailing list to alert users that the upcoming release will include security fixes

At T-3

  • 🔗 (Support) Notify eligible customers by adding a ticket to the 3 Day queue in RT with the text of the advisory (T-3)

At T-1

  • 🔗 (First IM) Send notifications to OS packagers

On the Day of Public Disclosure

  • 🔗 (IM) Grant QA & Marketing clearance to proceed with public release
  • 🔗 (Support) (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
  • 🔗 (Support) Bump Document Version for the Security Advisory in Printing Press
  • 🔗 (Support) Publish the Security Advisory in the Knowledge Base
  • 🔗 (QA/Marketing) Publish the releases (as outlined in the release checklist)
  • 🔗 (First IM) Send notification emails to third parties
  • 🔗 (First IM) Advise MITRE about the disclosed CVEs
  • 🔗 (First IM) Merge the Security Advisory merge request
  • 🔗 (IM) Inform original reporter (if external) that the security disclosure process is complete
  • 🔗 (Support) Update the tickets in the ASN queues in RT that the embargo is lifted
  • 🔗 (Marketing) Open a ticket in the appropriate announce queue in RT that the release is published

After Public Disclosure

  • 🔗 (QA) Merge a regression test reproducing the bug into all affected (and still maintained) branches

/confidential