diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 8f5417055b..e24fc84ddf 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -6,85 +6,85 @@ if it involves an assertion failure or other crash in `named` that can be triggered repeatedly - then please make sure that you make the new issue confidential! --> -| Quick Links | :link: | -| ------------------------ | ----------------------------------------------- | -| Incident Manager: | @user | -| Deputy Incident Manager: | @user | -| Public Disclosure Date: | YYYY-MM-DD | -| CVSS Score: | [0.0][cvss_score_url] | -| CWE: | [CWE-NNN][cwe_category_url] | -| Earliest Notification: | support-team/earliest-notification-drafting!NNN | -| Security Advisory: | isc-private/printing-press!NNN | -| Mattermost Channel: | [CVE-YYYY-NNNN][mattermost_url] | -| Support Ticket: | [URL] | -| Release Checklist: | #NNNN | +| How to? | Click on [:grey_question:][checklist_explanations] for each step | +| ------------------------ | ---------------------------------------------------------------------- | +| Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | +| Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | +| Public Disclosure Date: | YYYY-MM-DD | +| CVSS Score: | [0.0][cvss_score_url] | +| CWE: | [CWE-NNN][cwe_category_url] | +| Earliest Notification: | support-team/earliest-notification-drafting!NNN | +| Security Advisory: | isc-private/printing-press!NNN | +| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | +| Support Ticket: | [URL] | +| Release Checklist: | #NNNN | [cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html -[mattermost_url]: https://mattermost.isc.org/isc/channels/cve-YYYY-NNNN +[zulip_url]: https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE-... :bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** +:question: Not sure about something? Ask! + [checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations ### Before Code Freeze - - [ ] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager - - [ ] [:link:][step_respond] **(IM)** Respond to the bug reporter - - [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - - [ ] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier - - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category - - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition) - - [ ] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist - - [ ] [:link:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - - [ ] [:link:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - - [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it - - [ ] [:link:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem - - [ ] [:link:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready - - [ ] [:link:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem - - [ ] [:link:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer - - [ ] [:link:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions - - [ ] [:link:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix - - [ ] [:link:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product - - [ ] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory - - [ ] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - - [ ] [:link:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon + - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter + - [ ] [:grey_question:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue + - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) + - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier + - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category + - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition) + - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text + - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers + - [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it + - [ ] [:grey_question:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem + - [ ] [:grey_question:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready + - [ ] [:grey_question:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem + - [ ] [:grey_question:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer + - [ ] [:grey_question:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions + - [ ] [:grey_question:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix + - [ ] [:grey_question:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product + - [ ] [:grey_question:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved + - [ ] [:grey_question:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory + - [ ] [:grey_question:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle + - [ ] [:grey_question:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon ### Earlier Than T-5 - - [ ] [:link:][step_merge_fixes] **(QA)** Merge the CVE fixes in CVE identifier order - - [ ] [:link:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist) + - [ ] [:grey_question:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist) ### At T-5 - - [ ] [:link:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions - - [ ] [:link:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5) - - [ ] [:link:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes + - [ ] [:grey_question:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions + - [ ] [:grey_question:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5) + - [ ] [:grey_question:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes ### At T-3 - - [ ] [:link:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3) + - [ ] [:grey_question:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3) ### At T-1 - - [ ] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers + - [ ] [:grey_question:][step_packager_emails] **(First IM)** Send notifications to OS packagers ### On the Day of Public Disclosure - - [ ] [:link:][step_clearance] **(IM)** Grant QA & Marketing clearance to proceed with public release - - [ ] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base - - [ ] [:link:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press - - [ ] [:link:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base - - [ ] [:link:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist) - - [ ] [:link:][step_notifications] **(First IM)** Send notification emails to third parties - - [ ] [:link:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs - - [ ] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request - - [ ] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete - - [ ] [:link:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted - - [ ] [:link:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) + - [ ] [:grey_question:][step_clearance] **(SwEng)** Grant QA & Marketing clearance to proceed with public release + - [ ] [:grey_question:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base + - [ ] [:grey_question:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press + - [ ] [:grey_question:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base + - [ ] [:grey_question:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist) + - [ ] [:grey_question:][step_notifications] **(First IM)** Send notification emails to third parties + - [ ] [:grey_question:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs + - [ ] [:grey_question:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request + - [ ] [:grey_question:][step_embargo_end] **(SwEng)** Inform original reporter (if external) that the security disclosure process is complete + - [ ] [:grey_question:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted + - [ ] [:grey_question:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) -[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager +[step_incident_manager]: https://gitlab.isc.org/isc-private/bind9/-/wikis/Initial-Handling-of-(Potential)-Security-Issues [step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter [step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue [step_coordinate_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#check-if-we-need-to-coordinate-with-other-vendors-an-industry-wide-cve-identifier-might-be-necessary