More consistent security-announcements

Question

More consistent security-announcements

tallclair opened this issue 5 years ago · comments

We haven't historically posted a security announcement for every vulnerability. We should establish a more well defined policy for when an announcement is sent.

Possible policies include:

Announcement for every CVE
Announcement for every CVE with a severity over X

Another possibility is to migrate off of the current announcement flow, to something like a vulnerability dashboard that we've previously discussed (can't find the issue?).

Tim Allclair · Answer 1 · Thu Nov 07 2019 01:14:49 GMT+0800 (China Standard Time)

Also: What is the scope for security announcements? E.g. do we only announce vulnerabilities in core Kubernetes? Or anything owned by the Kubernetes org?

fejta-bot · Answer 2 · Wed Feb 05 2020 01:49:08 GMT+0800 (China Standard Time)

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Tim Allclair · Answer 3 · Wed Feb 05 2020 06:11:52 GMT+0800 (China Standard Time)

/remove-lifecycle stale

fejta-bot · Answer 4 · Tue May 05 2020 07:01:29 GMT+0800 (China Standard Time)

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Tim Allclair · Answer 5 · Fri May 08 2020 01:39:10 GMT+0800 (China Standard Time)

/remove-lifecycle stale