main
main copied to clipboard
Write Runbooks for Addressing CVEs
When dealing with #553, I noticed we did not have a defined plan for dealing with CVEs. I think it would be valuable to have a runbook on how to address CVEs.
I think we should also include information in the contributing guide about how to responsibly disclose CVEs to the team.
Rough information that should go in the runbook: (thanks @bsherman)
- create a "war room" thread in #ublue-dev
- pause all dev work (PR merges, extraneous Github builds) until CVE is handled or agreed to allow parallel efforts
- coordinate to write our own announcement
- test images/builds as needed