Merge branch 'security-update' of /home/git/repositories/gitlab/gitlabhq

Dmitriy Zaporozhets
2 parents c938833b 9be86adb
Showing 1 changed file with 10 additions and 4 deletions Show diff stats
doc/release/security.md
@@ -13,12 +13,14 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
  
 1. Verify that the issue can be repoduced
 1. Acknowledge the issue to the researcher that disclosed it
-1. Fix the issue on a feature branch, do this on the private dev.gitlab.org server and update the VERSION and CHANGELOG
+1. Fix the issue on a feature branch, do this on the private GitLab development server and update the VERSION and CHANGELOG in this branch
 1. Consider creating and testing workarounds
 1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch
-1. Merge the code feature branch
-1. Create a git tag vX.X.X for CE and another one for EE
+1. Merge the code feature branch into master
+1. Cherry-pick the code into the latest stable branch
+1. Create a git tag vX.X.X for CE and another patch release for EE
 1. Push the code and the tags to all the CE and EE repositories
+1. Apply the patch to GitLab Cloud and the private GitLab development server
 1. Merge and publish the blog posts
 1. Send tweets about the release from @gitlabhq and @git_lab
 1. Send out an email to the subscribers mailing list on MailChimp
@@ -27,13 +29,17 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
 1. Post a signed copy of our announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number
 1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/)
 1. Thank the security researcher in an email for their cooperation
-1. Update the blogposts when we receive a CVE number
+1. Update the blogposts when we receive the CVE number
+
+The timing of the code merge into master should be coordinated in advance.
+After the merge we strive to publish the announcements within 60 minutes.
  
 ## Blog post template
  
 XXX Security Advisory for GitLab
  
 A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately.
+We [have|haven't|XXX|PICKSOMETHING|] heard of this vulnerability being actively exploited.
  
 ### Version affected
...	...	@@ -13,12 +13,14 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
13	13
14	14	1. Verify that the issue can be repoduced
15	15	1. Acknowledge the issue to the researcher that disclosed it
16		-1. Fix the issue on a feature branch, do this on the private dev.gitlab.org server and update the VERSION and CHANGELOG
	16	+1. Fix the issue on a feature branch, do this on the private GitLab development server and update the VERSION and CHANGELOG in this branch
17	17	1. Consider creating and testing workarounds
18	18	1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch
19		-1. Merge the code feature branch
20		-1. Create a git tag vX.X.X for CE and another one for EE
	19	+1. Merge the code feature branch into master
	20	+1. Cherry-pick the code into the latest stable branch
	21	+1. Create a git tag vX.X.X for CE and another patch release for EE
21	22	1. Push the code and the tags to all the CE and EE repositories
	23	+1. Apply the patch to GitLab Cloud and the private GitLab development server
22	24	1. Merge and publish the blog posts
23	25	1. Send tweets about the release from @gitlabhq and @git_lab
24	26	1. Send out an email to the subscribers mailing list on MailChimp
...	...	@@ -27,13 +29,17 @@ Please report suspected security vulnerabilities in private to support@gitlab.co
27	29	1. Post a signed copy of our announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number
28	30	1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/)
29	31	1. Thank the security researcher in an email for their cooperation
30		-1. Update the blogposts when we receive a CVE number
	32	+1. Update the blogposts when we receive the CVE number
	33	+
	34	+The timing of the code merge into master should be coordinated in advance.
	35	+After the merge we strive to publish the announcements within 60 minutes.
31	36
32	37	## Blog post template
33	38
34	39	XXX Security Advisory for GitLab
35	40
36	41	A recently discovered critical vulnerability in GitLab allows [unauthenticated API access\|remote code execution\|unauthorized access to repositories\|XXX\|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately.
	42	+We [have\|haven't\|XXX\|PICKSOMETHING\|] heard of this vulnerability being actively exploited.
37	43
38	44	### Version affected
39	45
...	...