Skip to content

Add a checklist for handling security issues

Michał Kępień requested to merge michal/add-a-checklist-for-handling-cves into main

This MR attempts to address the shortcomings of the current CVE handling process, as seen from the perspective of SWENG.

The idea is that the checklist added by this MR would be used as a template for confidential GitLab issues holding details about security issues.

The checklist suggests a specific order of actions, but does not enforce it.

What should be enforced, though, IMHO, is that no security issue should be considered fully handled by SWENG until all but the last three actions on the checklist are carried out.

If accepted, this checklist could then be utilized by IM/QA to ensure that all SWENG actions for a given issue were in fact completed.

IMO, this proposal should be reviewed or at least read by @bind-team, @support-team, and @vicky.

Edited by Michał Kępień

Merge request reports