jpkrohling
commented
2 months ago I'll add this to the "fix team", as often the downstream components will need to release a fix of their own as well.
Closed mx-psi closed 2 months ago
jpkrohling
commented
2 months ago I'll add this to the "fix team", as often the downstream components will need to release a fix of their own as well.
The Community Incident Response Guidelines don't cover how different SIGs should coordinate for security vulnerabilities.
It is not uncommon for different SIGs to depend on artifacts produced by other SIGs. For example, the OpenTelemetry Collector is instrumented using opentelemetry-go, and the OpenTelemetry Operator depends on the OpenTelemetry Collector and language autoinstrumentations. If there is a security vulnerability on an artifact that is used by other SIGs, it may make sense to coordinate with said SIGs prior to public disclosure to ensure that these SIGs are ready to release a patched version as well.
It would be helpful to provide explicit guidance for this on the CIRG.