From 5209720166d2381340dddd18216774e2754253ed Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Fri, 1 Aug 2025 02:34:02 +0000 Subject: [PATCH] docs: add templates for advanced disclosure and security release emails in runbook --- doc/security_issue_runbook.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/doc/security_issue_runbook.md b/doc/security_issue_runbook.md index 1706b42c18..8b0bc7970b 100644 --- a/doc/security_issue_runbook.md +++ b/doc/security_issue_runbook.md @@ -25,6 +25,16 @@ For information on what types of issues are considered security vulnerabilities - Request CVE: Use the Big Green Button on the advisory to request a CVE number from GitHub staff. - Advanced Disclosure Email: Decide on a disclosure date, typically within a week, and send an email to sec-announce@bytecodealliance.org about the upcoming security release. Other ways are also available to communicate the disclosure date. +``` markdown +> A template for the advanced disclosure email + +The Wamr project would like to announce a forthcoming security release. + +The release will be made available on approximately YYYY-MM-DD. Additionally, an advisory will be made available on the same date at https://github.com/advisories. + +The highest severity issue fixed in this release is classified as XXX based on the CVSS classification scheme. +``` + ## Step 5: Preparing and Testing Patch Releases - Prepare PRs for Patch Releases: Create pull requests in the private fork for each version being patched. Ensure each PR is ready to apply cleanly and includes release notes for each release branch. @@ -38,6 +48,16 @@ For information on what types of issues are considered security vulnerabilities - Publish GitHub Advisories: Delete the private forks and use the Big Green Button to publish the advisory. - Send Security Release Email: Send a follow-up email to sec-announce@bytecodealliance.org describing the security release. Other communication channels can also be used to inform users about the security release. +```markdown +> A template for the security release email + +[Updated YYYY-MM-DD] Security release available. + +WAMR release version X.Y.Z is now available. The binary release can be found on GitHub at https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-Y.Y.Z. This release addresses the following security issues rated XXX: https://the link of the advisory + +We’ll be conducting a full review of our security practices to ensure ample notification is provided for future security releases. +``` + By following these steps, you can effectively manage and resolve security issues for your open source project, ensuring timely communication and collaboration while maintaining the integrity and security of your software. ## References