mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-21 01:50:07 -04:00
2c20f23b69
Rework the Security Incident Handling Checklist so that it does not only contain the SWENG-side steps for handling a security incident, but also all the other steps required by ISC procedures.
14 KiB
14 KiB
| Quick Links | 🔗 |
|---|---|
| Incident Manager: | @user |
| Deputy Incident Manager: | @user |
| Public Disclosure Date: | YYYY-MM-DD |
| CVSS Score: | 0.0 |
| Security Advisory: | isc-private/printing-press!NNN |
| Mattermost Channel: | CVE-YYYY-NNNN |
| Support Ticket: | [URL] |
| Release Checklist: | #NNNN |
| Post-mortem Etherpad: | [postmortem-YYYY-MM][postmortem_url] |
💡 Click here (internal resource) for general information about the security incident handling process.
Earlier Than T-5
- 🔗 (IM) Pick a Deputy Incident Manager
- 🔗 (IM) Respond to the bug reporter
- 🔗 (IM) Create an Etherpad for post-mortem
- 🔗 (SwEng) Ensure there are no public merge requests which inadvertently disclose the issue
- 🔗 (IM) Assign a CVE identifier
- 🔗 (SwEng) Update this issue with the assigned CVE identifier and the CVSS score
- 🔗 (SwEng) Determine the range of product versions affected (including the Subscription Edition)
- 🔗 (SwEng) Determine whether workarounds for the problem exist
- 🔗 (SwEng) If necessary, coordinate with other parties
- 🔗 (Support) Prepare and send out "earliest" notifications
- 🔗 (Support) Create a merge request for the Security Advisory and include all readily available information in it
- 🔗 (SwEng) Prepare a private merge request containing a system test reproducing the problem
- 🔗 (SwEng) Notify Support when a reproducer is ready
- 🔗 (SwEng) Prepare a detailed explanation of the code flow triggering the problem
- 🔗 (SwEng) Prepare a private merge request with the fix
- 🔗 (SwEng) Ensure the merge request with the fix is reviewed and has no outstanding discussions
- 🔗 (Support) Review the documentation changes introduced by the merge request with the fix
- 🔗 (SwEng) Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
- 🔗 (Support) Finish preparing the Security Advisory
- 🔗 (QA) Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- 🔗 (QA) (BIND 9 only) Reserve a block of
CHANGESplaceholders once the complete set of vulnerabilities fixed in a given release cycle is determined - 🔗 (QA) Merge the CVE fixes in CVE identifier order
- 🔗 (QA) Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
- 🔗 (QA) Prepare ASN releases (as outlined in the Release Checklist)
At T-5
- 🔗 (Support) Send ASN to eligible customers
- 🔗 (Support) (BIND 9 only) Send a pre-announcement email to the bind-announce mailing list to alert users that the upcoming release will include security fixes
At T-4
- 🔗 (Support) Verify that all ASN-eligible customers have received the notification email
At T-1
- 🔗 (Support) Verify that any new or reinstated customers have received the notification email
- 🔗 (First IM) Send notifications to OS packagers
On the Day of Public Disclosure
- 🔗 (IM) Grant Support clearance to proceed with public release
- 🔗 (Support) Publish the releases (as outlined in the release checklist)
- 🔗 (Support) (BIND 9 only) Update vulnerability matrix in the Knowledge Base
- 🔗 (Support) Bump Document Version for the Security Advisory and publish it in the Knowledge Base
- 🔗 (First IM) Send notification emails to third parties
- 🔗 (First IM) Advise MITRE about the disclosed CVEs
- 🔗 (First IM) Merge the Security Advisory merge request
- 🔗 (IM) Inform original reporter (if external) that the security disclosure process is complete
- 🔗 (Support) Inform customers a fix has been released