From: Ben Scott Date: Wed, 10 Jun 2026 17:08:32 +0000 (-0400) Subject: CVE and CVSS+CWE as separate steps X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a026d31095a29a99c396b1fe3e380f3467120a22;p=thirdparty%2Fbind9.git CVE and CVSS+CWE as separate steps "Assigning CVE" and "Assigning CVSS+CWE" are really two different steps. CVE is bookeeping; we just request the ID and type it in. CVSS and CWE require a judgement determination, and often involve discussion. At the same time, sometimes we forget to put the CVE ID in right away. Since we already have a separate step for CVE assignment, let's put "update the issue with the CVE ID" in that step, too. Then the second step can be entirely about CVSS+CWE. Same number of steps, just clearer separation of what the steps are about. --- diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 80e29e064c5..d4c1391155f 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -41,8 +41,8 @@ confidential! - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter - [ ] [:grey_question:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category + - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier, and update the GitLab Issue with it + - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Determine CVSS score and CWE category, and update the GitLab Issue with them - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition and supported EOL versions) - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers