-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SECURITY.md #1039
Merged
+29
−0
Merged
Create SECURITY.md #1039
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
de58c77
Create SECURITY.md
miao0miao 91bfa14
Update SECURITY.md
miao0miao 9c50b56
Update SECURITY.md
miao0miao e1b4184
Update SECURITY.md
miao0miao 16d92a3
Update SECURITY.md
miao0miao 49c4625
Update SECURITY.md
miao0miao adf904e
Update SECURITY.md
t-lo File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Flatcar Security | ||
| To keep Flatcar secure, the maintainers put a strong focus on tracking new and existing security issues. | ||
| Dealing with Security concerns is owned by the [Flatcar Security team](https://github.com/orgs/flatcar/teams/flatcar-security-team), a sub-set of the Maintainers team, and elected by the Maintainers (see [governance.md](./governance.md)). | ||
|
|
||
| While the team actively researches and tracks new and existing security issues, it may also be notified of issues via [[email protected]](mailto:[email protected]). | ||
|
|
||
| The Security team meets in a fortnightly cadence, in a private video call. | ||
| The team maintains an internal list of security Primaries and Secondaries, which are rotated on a weekly basis. | ||
| Primary and Secondary are expected to actively engage in security work each day, including executing the Runbook (see below) and working on fixing ongoing security issues. | ||
|
|
||
| Undisclosed security issues are tracked in a private repository only accessible by members of the security team. | ||
| Public issues are tracked publicly in the project's main issue tracker. | ||
|
|
||
| Security issues are addressed by releasing an updated OS image. Releases may be expedited depending on the issues' severity. For each release, release notes contain a concise list of security issues fixed. Also, a separate, detailed report on each of the issues addressed is part of every release. | ||
|
|
||
| ## Daily security runbook for Security team primaries and secondaries | ||
|
|
||
| The runbook below discusses steps for identifying new potential security issues and for making the issues known to the Flatcar project's maintainers and / or the other members of the Security team. | ||
| Embargoed issues are recorded in a private issue tracker only accessible by the Security team, while public issues are openly tracked in the [Flatcar project](https://github.com/Flatcar/Flatcar/issues). | ||
t-lo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Primaries are expected to execute the runbook at least once per day, optionally assisted or off-loaded by Secondaries. | ||
|
|
||
| Every day look into upstream security trackers like below: | ||
| - Gentoo security vulnerabilities. It might be useful to use gorss + RSS feed for this. | ||
| - oss-security mailing list | ||
| - Golang announce mailing list | ||
| - Rust security announcements | ||
| - (optional) issue trackers of other distros | ||
| - Whenever we discover any new CVE, we add it to an internal database, and use automation tools to create a new issue about the CVE in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues) with labels `security` and `advisory`. | ||
| - If an issue of updating the specific package affected by the new CVE is already open in [Flatcar GitHub issues](https://github.com/Flatcar/Flatcar/issues), then unfortunately we need to manually edit the existing issue to add the new CVE. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is duplicate of the 11-12nd line above. Let's simply remove it.