Revise responsibilities in the CVE checklist

author Vicky Risk <vicky@isc.org>

Tue, 26 Sep 2023 21:46:40 +0000 (21:46 +0000)

committer Michał Kępień <michal@isc.org>

Thu, 16 Nov 2023 10:39:51 +0000 (11:39 +0100)
author Vicky Risk <vicky@isc.org>
Tue, 26 Sep 2023 21:46:40 +0000 (21:46 +0000)
committer Michał Kępień <michal@isc.org>
Thu, 16 Nov 2023 10:39:51 +0000 (11:39 +0100)
diff --git a/.gitlab/issue_templates/CVE.md b/.gitlab/issue_templates/CVE.md

index 782c2a4d048a4ba9d1f9750513f7ae5933600891..c2fb695d2ec2586400241aa13e93c5f0c28eebde 100644 (file)
--- a/.gitlab/issue_templates/CVE.md
+++ b/.gitlab/issue_templates/CVE.md
@@ -37,7 +37,8 @@ confidential!
    - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
    - [ ] [:link:][step_workarounds]       **(SwEng)** Determine whether workarounds for the problem exist
    - [ ] [:link:][step_coordinate]        **(SwEng)** If necessary, coordinate with other parties
-  - [ ] [:link:][step_earliest]          **(Support)** Prepare and send out "earliest" notifications
+  - [ ] [:link:][step_earliest_prepare]  **(Support)** Prepare "earliest" notification text and hand it off to Marketing
+  - [ ] [:link:][step_earliest_send]     **(Marketing)** Update "earliest" notification document in SF portal and send bulk email to earliest customers
    - [ ] [:link:][step_advisory_mr]       **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
    - [ ] [:link:][step_reproducer_mr]     **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
    - [ ] [:link:][step_notify_support]    **(SwEng)** Notify Support when a reproducer is ready
@@ -55,34 +56,31 @@ confidential!
  
  ### At T-5
  
-  - [ ] [:link:][step_send_asn]          **(Support)** Send ASN to eligible customers
-  - [ ] [:link:][step_preannouncement]   **(Support)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
-
-### At T-4
-
-  - [ ] [:link:][step_verify_asn]        **(Support)** Verify that all ASN-eligible customers have received the notification email
+  - [ ] [:link:][step_asn_documents]     **(Marketing)** Update the text on the T-5 (from the Printing Press project) and "earliest" ASN documents in the SF portal
+  - [ ] [:link:][step_asn_links]         **(Marketing)** (BIND 9 only) Update the BIND -S information document in SF with download links to the new versions
+  - [ ] [:link:][step_asn_send]          **(Marketing)** Bulk email eligible customers to check the SF portal
+  - [ ] [:link:][step_preannouncement]   **(Marketing)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
  
  ### At T-1
  
-  - [ ] [:link:][step_check_customers]   **(Support)** Verify that any new or reinstated customers have received the notification email
    - [ ] [:link:][step_packager_emails]   **(First IM)** Send notifications to OS packagers
  
  ### On the Day of Public Disclosure
  
-  - [ ] [:link:][step_clearance]         **(IM)** Grant Support clearance to proceed with public release
-  - [ ] [:link:][step_publish]           **(Support)** Publish the releases (as outlined in the release checklist)
+  - [ ] [:link:][step_clearance]         **(IM)** Grant QA & Marketing clearance to proceed with public release
+  - [ ] [:link:][step_publish]           **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
    - [ ] [:link:][step_matrix]            **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
    - [ ] [:link:][step_publish_advisory]  **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base
    - [ ] [:link:][step_notifications]     **(First IM)** Send notification emails to third parties
    - [ ] [:link:][step_mitre]             **(First IM)** Advise MITRE about the disclosed CVEs
    - [ ] [:link:][step_merge_advisory]    **(First IM)** Merge the Security Advisory merge request
    - [ ] [:link:][step_embargo_end]       **(IM)** Inform original reporter (if external) that the security disclosure process is complete
-  - [ ] [:link:][step_customers]         **(Support)** Inform customers a fix has been released
+  - [ ] [:link:][step_asn_clear]         **(Marketing)** Update the SF portal to clear the ASN
+  - [ ] [:link:][step_customers]         **(Marketing)** Email ASN recipients that the embargo is lifted
  
  ### After Public Disclosure
  
    - [ ] [:link:][step_postmortem]        **(First IM)** Organize post-mortem meeting and make sure it happens
-  - [ ] [:link:][step_tickets]           **(Support)** Close support tickets
    - [ ] [:link:][step_regression]        **(QA)** Merge a regression test reproducing the bug into all affected (and still maintained) branches
  
  [step_deputy]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
@@ -94,7 +92,8 @@ confidential!
  [step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
  [step_workarounds]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
  [step_coordinate]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties
-[step_earliest]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-and-send-out-earliest-notifications
+[step_earliest_prepare]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-earliest-notification-text-and-hand-it-off-to-marketing
+[step_earliest_send]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-earliest-notification-document-in-sf-portal-and-send-bulk-email-to-earliest-customers
  [step_advisory_mr]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
  [step_reproducer_mr]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
  [step_notify_support]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
@@ -109,12 +108,12 @@ confidential!
  [step_merge_fixes]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
  [step_patches]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
  [step_asn_releases]:      https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
-[step_send_asn]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-asn-to-eligible-customers
+[step_asn_documents]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-text-on-the-t-5-from-the-printing-press-project-and-earliest-asn-documents-in-the-sf-portal
+[step_asn_links]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-the-bind-s-information-document-in-sf-with-download-links-to-the-new-versions
+[step_asn_send]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bulk-email-eligible-customers-to-check-the-sf-portal
  [step_preannouncement]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
-[step_verify_asn]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-all-asn-eligible-customers-have-received-the-notification-email
-[step_check_customers]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-any-new-or-reinstated-customers-have-received-the-notification-email
  [step_packager_emails]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
-[step_clearance]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-support-clearance-to-proceed-with-public-release
+[step_clearance]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-qa-marketing-clearance-to-proceed-with-public-release
  [step_publish]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
  [step_matrix]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base
  [step_publish_advisory]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base
@@ -122,7 +121,7 @@ confidential!
  [step_mitre]:             https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
  [step_merge_advisory]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
  [step_embargo_end]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
-[step_customers]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-customers-a-fix-has-been-released
+[step_asn_clear]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-sf-portal-to-clear-the-asn
+[step_customers]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#email-asn-recipients-that-the-embargo-is-lifted
  [step_postmortem]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#organize-post-mortem-meeting-and-make-sure-it-happens
-[step_tickets]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#close-support-tickets
  [step_regression]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches
author	Vicky Risk <vicky@isc.org>
	Tue, 26 Sep 2023 21:46:40 +0000 (21:46 +0000)
committer	Michał Kępień <michal@isc.org>
	Thu, 16 Nov 2023 10:39:51 +0000 (11:39 +0100)