-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security: blameless postmortem template. (#6553)
Modified from https://raw.githubusercontent.com/dastergon/postmortem-templates/master/templates/postmortem-template-srebook.md and https://landing.google.com/sre/book/chapters/postmortem.html. Signed-off-by: Harvey Tuch <[email protected]>
- Loading branch information
Showing
1 changed file
with
75 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| > Slimmed down template from: Betsy Beyer, Chris Jones, Jennifer Petoff, and Niall Richard | ||
| > Murphy. [“Site Reliability | ||
| > Engineering.”](https://landing.google.com/sre/book/chapters/postmortem.html), | ||
| > modified from | ||
| > https://raw.githubusercontent.com/dastergon/postmortem-templates/master/templates/postmortem-template-srebook.md. | ||
| > Follow the SRE link for examples of how to populate. | ||
| > A PR should be opened with postmortem placed in security/postmortems/cve-year-abcdef.md. If there | ||
| > are multiple CVEs in the postmortem, populate each alias with the string "See cve-year-abcdef.md". | ||
| # Security postmortem for CVE-YEAR-ABCDEF, CVE-YEAR-ABCDEG | ||
|
|
||
| ## Incident date(s) | ||
|
|
||
| > YYYY-MM-DD (as a date range if over a period of time) | ||
| ## Authors | ||
|
|
||
| > @foo, @bar, ... | ||
| ## Status | ||
|
|
||
| > Draft | Final | ||
| ## Summary | ||
|
|
||
| > A few sentence summary. | ||
| ## CVE issue(s) | ||
|
|
||
| > https://github.com/envoyproxy/envoy/issues/${CVE_ISSUED_ID} | ||
| ## Root Causes | ||
|
|
||
| > What defect in Envoy led to the CVEs? How did this defect arise? | ||
| ## Resolution | ||
|
|
||
| > How was the security release process followed? How were the fix patches | ||
| > structured and authored? | ||
| ## Detection | ||
|
|
||
| > How was this discovered? Reported by XYZ, found by fuzzing? Private or public | ||
| > disclosure? | ||
| ## Action Items | ||
|
|
||
| > Create action item issues and include in their body "Action item for | ||
| > CVE-YEAR-ABCDEF". Modify the search string below to include in the PR: | ||
| https://github.com/envoyproxy/envoy/issues?utf8=%E2%9C%93&q=is%3Aissue+%22Action+item+for+CVE-YEAR-ABCDEF%22 | ||
|
|
||
| ## Lessons Learned | ||
|
|
||
| ### What went well | ||
|
|
||
| ### What went wrong | ||
|
|
||
| ### Where we got lucky | ||
|
|
||
| ## Timeline | ||
|
|
||
| All times US/Pacific | ||
|
|
||
| YYYY-MM-DD | ||
| * HH:MM Cake was made available | ||
| * HH:MM People ate the cake | ||
|
|
||
| YYYY-MM-DD | ||
| * HH:MM More cake was available | ||
| * HH:MM People ate more cake | ||
|
|
||
| ## Supporting information |