github.com/projectcontour/contour@v1.28.2/site/content/resources/security-checklist.md (about) 1 --- 2 title: Security Response Checklist 3 layout: page 4 --- 5 6 This document outlines a checklist for Contour security team members (at time of writing, this is the same people as the maintainer team) to step through in the event Contour has a CVE that needs to be mitigated. 7 8 ## A CVE has been reported, what do I do? 9 10 1. User discovers a vulnerability and notifies cncf-contour-maintainers@lists.cncf.io 11 1. Contour maintainer team triages the vulnerability with the reporter and decide patch releases (multiple minors could be impacted) as well as downstream distributors. 12 1. Create a Security Advisory Draft on github Contour repo https://github.com/projectcontour/contour/security/advisories 13 - Requires patched versions 14 - As part of this, fill out the CVSS score and CWE enumerator, and request a CVE ID via Github. 15 1. Create a private fork for the Security Advisory using the Advisory page, and ensure everyone who needs to can see it. 16 1. Do not publish draft, keeping it in draft mode until we release patch 17 - Remember to give credit to the reporter, they can however remain anonymous or keep their company info private if they wish 18 1. Communicate to the reporter that draft is created & awaiting for precise dates for releases 19 1. Send email to the Distributors (cncf-contour-distributors-announce@lists.cncf.io) mailing list on disclosure and patch releases dates, can include 20 - Learn from previous mistakes, send this through the web interface at https://lists.cncf.io/g/cncf-contour-distributors-announce/ ! 21 Don't use a client that may "correct" the address to another one for you. 22 - Description of vulnerability 23 - Contour versions affected 24 - Known attack vectors 25 - Possible workarounds 26 - Next step including patch releases 27 - Leave out the CVE ID 28 - Get buy-in from the distributors on release date, or at least see if there are objections 29 - Post the Embargo note (sourced from https://projectcontour.io/resources/security-process/) at the bottom 30 ``` 31 The information that members receive on the Contour Distributors mailing list must not be made public, shared, or even hinted at anywhere beyond those who need to know within your specific team, unless you receive explicit approval to do so from the Contour Security Team. This remains true until the public disclosure date/time agreed upon by the list. Members of the list and others cannot use the information for any reason other than to get the issue fixed for your respective distribution's users. 32 Before you share any information from the list with members of your team who are required to fix the issue, these team members must agree to the same terms, and only be provided with information on a need-to-know basis. 33 34 In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the [Contour Security Team](https://projectcontour.io/resources/security-process#mailing-lists) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list. 35 ``` 36 - Add #security tag to message 37 1. Release patches for all supported minors 38 - Submit PRs for fixes with pithy commit messages, or even no commit message. 39 The point is to ensure that we don't give away the CVE before the public release in a commit message. 40 1. When all patches are released and the embargo date is reached, publish the security advisory which was in draft mode. 41 1. Can now send above email to the broader public Contour users mailing list as well 42 1. Follow up on cncf-contour-distributors-announce@lists.cncf.io as well notifying users that releases are out 43 1. Do a team retrospective on the release for the CVE if applicable 44