Provides discreet management of security vulnerabilities issues relevant for active CF projects.
- Provide a single point of contact for security vulnerability reporting and management.
- Provide management of security vulnerability reports through to resolution, including but not limited to triage, reporter and team coordination, embargo negotiation, CVSS scoring, CVE assignments, pre-disclosure and disclosure.
- Triage incoming security vulnerability reports to [email protected].
- Manage vulnerabilities through dedicated slack channels.
- When appropriate, negotiate suitable embargo periods with the reporter to afford component teams time to fix the issue before it becomes known publicly.
- When appropriate, assign CVE numbers to vulnerabilities/fixes.
- Publish pre-disclosures to allow all CF distributions time to adopt fixes for high/critical vulnerabilities before they become known publicly.
- Publish disclosures of reported security vulnerabilities.
- Add security-related features to Cloud Foundry projects.
Security process and broadcast channels for security disclosures.
name: Vulnerability Management
execution_leads:
- name: Thomas Thalhofer
github: thomasthal
technical_leads:
- name: Paul Warren
github: paulcwarren
bots: []
areas: []