You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Projects like Envoy proxy have a robust processe for vulnerability management, outlined here. OSS control planes like Istio have similar processes in place.
Envoy Gateway should establish similar processes, communication channels, responsibilities, SLOs, etc.
More concretely, the following should be done:
Create a public vulnerability reporting and disclosure process:
Create an email for Envoy Gateway vulnerability reporting
Establish a security team responsible for monitoring vulnerability reports and determine criteria for membership
Define a security assessment and fix process:
Determine how a security team member(s) is appointed to determine the severity of a reported issue and/or develop s fix (e.g. release manager for upstream envoy patches, security team member on duty for EG-specific issues, code owner, ad-hoc decision by the security team... )
Where is the fix developed (private GH repo?)
What are the SLAs for the fix the be available (time to determine severity since disclosure, time to fix from severity determination based on severity level)
Create process for early disclosure
Establish criteria for membership in early disclosure group
Determine when a vulnerability is disclosed with the early disclosure group
Create an early disclosure reporting email for Envoy Gateway
Define an embargo policy
Create a public vulnerability disclosure process for Envoy Gateway:
Decide on a medium for vulnerability disclosure (EG Site, Slack Announcement)
Define how fixes relate to the release process in terms of release responsibility, announcement, etc.
Additionally, Envoy Gateway security representatives should strive to join the Envoy Proxy private distributor list, to ensure early disclosure of vulnerabilities and proper preparation for fix releases.
The text was updated successfully, but these errors were encountered:
guydc
changed the title
Establish processes for security issue reporting, evaluation, fix release,
Establish processes for security issue reporting, evaluation, fix release
Mar 14, 2024
Description:
Projects like Envoy proxy have a robust processe for vulnerability management, outlined here. OSS control planes like Istio have similar processes in place.
Envoy Gateway should establish similar processes, communication channels, responsibilities, SLOs, etc.
More concretely, the following should be done:
Additionally, Envoy Gateway security representatives should strive to join the Envoy Proxy private distributor list, to ensure early disclosure of vulnerabilities and proper preparation for fix releases.
The text was updated successfully, but these errors were encountered: