I'd like to create & document an incident response process that we can delegate better. This should include specific steps to follow, action items, timelines, etc. Ideally it could be handed off to non-SRC members who have never been involved in a Kubernetes security response before, and they'd be able to follow the instructions to lead a security response.

Considerations for non-SRC incident responders:

• They don't have access to HackerOne, distributors list, etc. An SRC member will still need to act in a comms role, minimally for H1 involvement and to post announcements.
• They don't (shouldn't) have access to our issues tracker. We need a workflow where individual issues can be shared on a need-to-know basis. Ideas: google doc (meh, requires google account), GitHub security advisories on a dedicated org (SRC needs to be repo admins)
• Every non-SRC IC should have a dedicated SRC contact. Regular status updates should be shared with the SRC member.

This would also be useful to SRC members, and should include checklists & timelines for response.

@tallclair I would be happy to help out on this from the lens of how sub-project maintainers may need to lead a security response for their projects. Will connect with you on slack to find some common time to discuss more.

Also, there is an opportunity to reuse some ideas / template from here: https://github.com/cncf/tag-security/blob/main/project-resources/templates/incident-response.md

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-triage-robot: Closing this issue.