...
- Extreme caution would be necessary while handling this bug.
- If the bug has been reported via encrypted email, no plain text communication should be used
- Secure communication channel with PTL or project security contact point should be established (GPG, zoom with e2e encryption enabled etc)
All Vulnerabilities
- PTL or project security contact point should be delivered with bug details to confirm initial severity
- Severity level should be fixed:
- If PTL or project security contact point agrees with initially assigned severity a "Severity-confirmed" label should be added to the task.
- If PTL or project security contact point disagrees with initially assigned a clear justification should be provided, severity level updated and "Severity-confirmed" added to the task.
- If a bug has been received via email the triage confirmation email should be sent to the reporter.
Hardening opportunities
1.
Non-Security bugs
- If bug has been classified as a non-security the ticket should be made publicly visible
- PTL of impacted project is responsible for further handling of this bug
Patch development
Patch review
The security team should provide a judgement call for the severity of the issue for the most common use case of the project. Suggested impact rating categories:
...