sonic-net
Security Vulnerability Management Process for SONiC Community
This document outlines SONiC vulnerability reporting and management process.
TSC members, can you please help to review and approve this PR? Thanks.
Is there a template to report SONiC security issues? Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.
Is there a template to report SONiC security issues? Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.
Security template will be defined later by security committee. The 90 days is the duration from date when mitigation is identified to vul expose date, overall, we expect the reported issues to be mitigated as soon as possible.
Is there a template to report SONiC security issues? Regarding security issues - do we want all security issues dealt with within 90 days? Critical item (CVSS > 9.0) might require a more immediate response if the item is highly critical and highly visible.
Security committee can define a template if they want. The 90 days is the longest waiting time from when a mitigation/fix is ready, we expect the vulnerability is mitigated as soon as possible.
@adyeung @balajib-cisco @eddieruan-alibaba can you please help to approve this PR if you are ok with the updated content? Thanks.