security: update policy for fix/disclosure SLOs.#11243
Merged
htuch merged 2 commits intoenvoyproxy:masterfrom May 19, 2020
Merged
security: update policy for fix/disclosure SLOs.#11243htuch merged 2 commits intoenvoyproxy:masterfrom
htuch merged 2 commits intoenvoyproxy:masterfrom
Conversation
The idea is to prepare for the Envoy bug bounty, help burn down the envoy-setec backlog and set expectations to disclosers. The 90 days limit comes from the fuzz bug disclosure deadline and https://www.google.com/about/appsecurity/. Signed-off-by: Harvey Tuch <htuch@google.com>
htuch
commented
May 18, 2020
| * Three weeks notice will be provided to private distributors from patch | ||
| availability until the embargo deadline. | ||
|
|
||
| * Public zero days will be fixed ASAP, but there is no SLO for this, since this |
Member
Author
There was a problem hiding this comment.
I'm kind of torn on this one. OTOH, setting no SLO for a zero day seems like a terrible idea. OTOH, expecting any individual member of the Envoy security team to drop everything also seems kind of bad. I think if we had an on-call rotation for Envoy security team to deal with triage and fixing public zero days it might be possible to set an SLO. Any thoughts on this?
Member
There was a problem hiding this comment.
I'm skeptical of an SLO here, as it really depends on the issue and how hard it is to fix. IMO this language is fine for now and we can improve later as needed.
Member
Author
|
CC @envoyproxy/security-team |
mattklein123
previously approved these changes
May 18, 2020
Member
mattklein123
left a comment
There was a problem hiding this comment.
LGTM, thanks for the clarifications. Will defer to the rest of the security team for further comments.
ggreenway
reviewed
May 18, 2020
Signed-off-by: Harvey Tuch <htuch@google.com>
mattklein123
approved these changes
May 19, 2020
ggreenway
approved these changes
May 19, 2020
spenceral
added a commit
to spenceral/envoy
that referenced
this pull request
May 20, 2020
Signed-off-by: Spencer Lewis <slewis@squareup.com> * master: (33 commits) docs: break release notes into categories (envoyproxy#11217) admin: extract more handlers to separate classes (envoyproxy#11258) Load reporting service documentation (envoyproxy#10962) http: testing 304-with-body behavior (envoyproxy#11261) fixing typos and breaking link issues (envoyproxy#11270) devex: initial commit of devcontainer setup (envoyproxy#11207) security: update policy for fix/disclosure SLOs. (envoyproxy#11243) http: fixing CONNECT to not advertise chunk encoding. (envoyproxy#11245) docs: update upstream network filters description (envoyproxy#11231) deps: update datadog tracer to v1.1.5 (envoyproxy#11253) test: Fix missing instantiation of parameterized tests. (envoyproxy#11247) fix go mirror when no changes (envoyproxy#11249) docs: host_rewrite -> host_rewrite_literal (envoyproxy#11229) wasm: update V8 to v8.3.110.9. (envoyproxy#11233) tls: update BoringSSL to 107c03cf (4103). (envoyproxy#11232) bazelci: always exclude nocoverage tag in coverage config (envoyproxy#11226) ci: save api revision in go-control-plane (envoyproxy#11220) build: fix cares build (envoyproxy#11225) stats: Pre-allocate codec stats for http1 and http2 (envoyproxy#11135) api: manifest based edge default documentation. (envoyproxy#11151) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The idea is to prepare for the Envoy bug bounty, help burn down the envoy-setec
backlog and set expectations to disclosers. The 90 days limit comes from
the fuzz bug disclosure deadline and
https://www.google.com/about/appsecurity/.
Signed-off-by: Harvey Tuch htuch@google.com