Skip to content

Latest commit

 

History

History
50 lines (35 loc) · 1.81 KB

vulnerability-management.md

File metadata and controls

50 lines (35 loc) · 1.81 KB

Vulnerability Management: Working Group Charter

Mission

Provides discreet management of security vulnerabilities issues relevant for active CF projects.

Goals

  • Provide a single point of contact for security vulnerability reporting and management.
  • Provide management of security vulnerability reports through to resolution, including but not limited to triage, reporter and team coordination, embargo negotiation, CVSS scoring, CVE assignments, pre-disclosure and disclosure.

Scope

  • Triage incoming security vulnerability reports to [email protected].
  • Manage vulnerabilities through dedicated slack channels.
  • When appropriate, negotiate suitable embargo periods with the reporter to afford component teams time to fix the issue before it becomes known publicly.
  • When appropriate, assign CVE numbers to vulnerabilities/fixes.
  • Publish pre-disclosures to allow all CF distributions time to adopt fixes for high/critical vulnerabilities before they become known publicly.
  • Publish disclosures of reported security vulnerabilities.

Non-Goals

  • Add security-related features to Cloud Foundry projects.

Technical Lead(s):

Execution Lead(s):

Roles & Technical Assets

Security process and broadcast channels for security disclosures.

name: Vulnerability Management
execution_leads:
- name: Thomas Thalhofer
  github: thomasthal
technical_leads:
- name: Paul Warren
  github: paulcwarren
bots: []
areas: []