search

servicemesher / istio-official-translation

Istio官网中文本地化
https://www.servicemesher.com/istio-trans/
228 stars 45 forks source link

/about/security-vulnerabilities/index.md #722

Closed fleeto closed 5 years ago

fleeto commented 5 years ago

Source File: /about/security-vulnerabilities/index.md Diff:

 diff --git a/content/about/security-vulnerabilities/index.md b/content/about/security-vulnerabilities/index.md
index cafdfe5e..cfd3b5ad 100644
--- a/content/about/security-vulnerabilities/index.md
+++ b/content/about/security-vulnerabilities/index.md
@@ -1,6 +1,6 @@
 ---
-title: Security Vulnerabilities
-description: How we handle security vulnerabilities.
+title: Reporting Security Vulnerabilities
+description: Responsible disclosure for Istio security vulnerabilities.
 weight: 35
 icon: vulnerabilities
 ---
@@ -8,15 +8,13 @@ icon: vulnerabilities
 We are very grateful to the security researchers and users that report
 back Istio security vulnerabilities. We investigate every report thoroughly.

-## Reporting a vulnerability
-
 To make a report, send an email to the private
 [`istio-security-vulnerabilities@googlegroups.com`](mailto:istio-security-vulnerabilities@googlegroups.com)
 mailing list with the vulnerability details. For normal product bugs
 unrelated to latent security vulnerabilities, please head to
 our [Reporting Bugs](/about/bugs/) page to learn what to do.

-### When to report a security vulnerability?
+## When to report a security vulnerability?

 Send us a report whenever you:

@@ -25,7 +23,7 @@ Send us a report whenever you:
 - Think a vulnerability is present in another project that Istio
 depends on. For example, Envoy, Docker, or Kubernetes.

-### When not to report a security vulnerability?
+## When not to report a security vulnerability?

 Don't send a vulnerability report if:

@@ -33,9 +31,9 @@ Don't send a vulnerability report if:
 - You need help applying security related updates.
 - Your issue is not security related.

-## Evaluation
+## Security vulnerability response

-The Istio security team acknowledges and analyzes each vulnerability report within three
+The Istio security team acknowledges and analyzes each report within three
 work days.

 Any vulnerability information you share with the Istio security team stays
@@ -45,38 +43,15 @@ projects. We only share the information as needed to fix the issue.
 We keep the reporter updated as the status of the security issue moves
 from `triaged`, to `identified fix`, to `release planning`.

-## Fixing the issue
-
-Once a security vulnerability has been fully characterized, a fix is developed by the Istio team.
-The development and testing for the fix happens in a private GitHub repository in order to prevent
-premature disclosure of the vulnerability.
-
-## Early disclosure
-
-Before vulnerabilities are disclosed to the public, there is an early private disclosure to a small set of Istio partners.
-This is to enable partners that distribute Istio binaries to prepare to distribute the fix.
-
-Early disclosure happens three working days prior to full public disclosure.
-
-Please fill out the [Early Security Vulnerability Disclosure](https://github.com/istio/community/issues/new?template=early-disclosure-request.md) form to request being
-added to the early disclosure mailing list.
-
-## Public disclosure
-
-On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:
-
-- Changes are merged from the private GitHub repository holding the fix into the appropriate set of public
-branches.
-
-- Release engineers ensure all necessary binaries are promptly built and published.
-
-- Once the binaries are available, an announcement is sent out on the following channels:
-
-    - The [Istio blog](/blog)
-    - The [Announcements](https://discuss.istio.io/c/announcements) category on discuss.istio.io
-    - The [Istio Twitter feed](https://twitter.cqom/IstioMesh)
-    - The [#announcement channel on Slack](https://istio.slack.com/messages/CFXS256EQ/)
-
-As much as possible this announcement should be actionable, and include any mitigating steps users can take prior to
-upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday.
-This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.
+## Public disclosure timing
+
+The Istio security team and the bug submitter negotiate a public
+disclosure date between them. We prefer to fully disclose the bug as
+soon as possible once a user mitigation is available.
+We consider reasonable to delay disclosure when the bug or the fix is
+not yet fully understood, the solution is not well-tested, or for
+vendor coordination. The time frame for disclosure is from immediate,
+especially if the bug is known publicly already, to a few weeks.
+As a basic default, we expect the report date and the disclosure date
+to be on the order of seven days apart. The Istio security team holds
+the final say on setting a disclosure date.
loverto commented 5 years ago

/accept

mesher-bot commented 5 years ago

Thank you @loverto, this issue had been assigned to you.

loverto commented 5 years ago

/pushed

loverto commented 5 years ago

/merged