Security/Bug Approval Process: Difference between revisions

Security/Bug Approval Process (view source)

Revision as of 21:11, 9 October 2019

954 bytes added , 9 October 2019

→‎Process for Security Bugs (sec-approver Perspective)

Tritter

124

edits

@@ Line 87: / Line 87: @@
 # The Security assurance team goes through sec-approval ? bugs daily and approves low risk fixes for central (if early in cycle). Developers can also ping the Security Assurance Team (specifically Tom Ritter & Dan Veditz) in #security on Slack when important.
+## If a bug lacks a security-rating one should be assigned - possibly in coordination with the (other member of) the Security Assurance Team
 # Security team marks tracking flags to ? for all affected versions when approved for central. (This allows release management to decide whether to uplift to branches just like always.)
 # Weekly security/release management triage meeting goes through sec-approval + and ? bugs where beta and ESR is affected, ? bugs with higher risk (sec-high and sec-critical), or ? bugs near end of cycle.
-(more coming)
+Options for sec-approval including a logical combination of the following:
+* Separate out the test and comments in the code into a followup commit we will commit later.
+* Remove the commit message and place it in the bug or comments in a followup commit.
+* Land today
+* Land today, land the tests after <date>
+* Land closer to the release date
+* Land in Nightly to assess stability
+* Land today and request uplift to all branches
+* Request uplift to all branches and we'll land as close to shipping as permitted
+* Chemspill time
+The decision process for which of these to choose is perceived risk on multiple axes:
+* ease of exploitation
+* reverse engineering risk
+* stability risk
+The most common choice is: not much stability risk, not an immediate RE risk, moderate to high difficulty of exploitation: "land whenever"