Merge branch 'michal/rework-the-security-incident-handling-checklist' into 'main'

Rework the Security Incident Handling Checklist

See merge request isc-projects/bind9!6980

.gitlab/issue_templates/Bug.md

@@ -1,8 +1,8 @@
 <!--
 If the bug you are reporting is potentially security-related - for example,
 if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please do *NOT* report it here, but send an
-email to [security-officer@isc.org](security-officer@isc.org).
+triggered repeatedly - then please make sure that you make the new issue
+confidential!
 -->
 
 ### Summary

.gitlab/issue_templates/CVE.md

@@ -3,35 +3,126 @@ THIS ISSUE TEMPLATE IS INTENDED ONLY FOR INTERNAL USE.
 
 If the bug you are reporting is potentially security-related - for example,
 if it involves an assertion failure or other crash in `named` that can be
-triggered repeatedly - then please do *NOT* report it here, but send an
-email to [security-officer@isc.org](security-officer@isc.org).
+triggered repeatedly - then please make sure that you make the new issue
+confidential!
 -->
+| Quick Links              | :link:                               |
+| ------------------------ | ------------------------------------ |
+| Incident Manager:        | @user                                |
+| Deputy Incident Manager: | @user                                |
+| Public Disclosure Date:  | YYYY-MM-DD                           |
+| CVSS Score:              | [0.0][cvss_score]                    |
+| Security Advisory:       | isc-private/printing-press!NNN       |
+| Mattermost Channel:      | [CVE-YYYY-NNNN][mattermost_url]      |
+| Support Ticket:          | [URL]                                |
+| Release Checklist:       | #NNNN                                |
+| Post-mortem Etherpad:    | [postmortem-YYYY-MM][postmortem_url] |
 
-### CVE-specific actions
+[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1
+[mattermost_url]:
+[postmortem_url]:
 
-  - [ ] Assign a CVE identifier
-  - [ ] Determine CVSS score
-  - [ ] Determine the range of BIND versions affected (including the Subscription Edition)
-  - [ ] Determine whether workarounds for the problem exists
-  - [ ] Create a draft of the security advisory and put the information above in there
-  - [ ] Prepare a detailed description of the problem which should include the following by default:
-      - instructions for reproducing the problem (a system test is good enough)
-      - explanation of code flow which triggers the problem (a system test is *not* good enough)
-  - [ ] Prepare a private merge request containing the following items in separate commits:
-      - a test for the issue (may be moved to a separate merge request for deferred merging)
-      - a fix for the issue
-      - documentation updates (`CHANGES`, release notes, anything else applicable)
-  - [ ] Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
-  - [ ] Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
-  - [ ] Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
-  - [ ] Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
+:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
 
-### Release-specific actions
+[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
 
-  - [ ] Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
-  - [ ] Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
-  - [ ] Ensure the merge requests containing CVE fixes are merged into `security-*` branches in CVE identifier order
+### Earlier Than T-5
 
-### Post-disclosure actions
+  - [ ] [:link:][step_deputy]            **(IM)** Pick a Deputy Incident Manager
+  - [ ] [:link:][step_respond]           **(IM)** Respond to the bug reporter
+  - [ ] [:link:][step_etherpad]          **(IM)** Create an Etherpad for post-mortem
+  - [ ] [:link:][step_public_mrs]        **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
+  - [ ] [:link:][step_assign_cve_id]     **(IM)** Assign a CVE identifier
+  - [ ] [:link:][step_note_cve_info]     **(SwEng)** Update this issue with the assigned CVE identifier and the CVSS score
+  - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
+  - [ ] [:link:][step_workarounds]       **(SwEng)** Determine whether workarounds for the problem exist
+  - [ ] [:link:][step_coordinate]        **(SwEng)** If necessary, coordinate with other parties
+  - [ ] [:link:][step_earliest]          **(Support)** Prepare and send out "earliest" notifications
+  - [ ] [:link:][step_advisory_mr]       **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
+  - [ ] [:link:][step_reproducer_mr]     **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
+  - [ ] [:link:][step_notify_support]    **(SwEng)** Notify Support when a reproducer is ready
+  - [ ] [:link:][step_code_analysis]     **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem
+  - [ ] [:link:][step_fix_mr]            **(SwEng)** Prepare a private merge request with the fix
+  - [ ] [:link:][step_review_fix]        **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions
+  - [ ] [:link:][step_review_docs]       **(Support)** Review the documentation changes introduced by the merge request with the fix
+  - [ ] [:link:][step_backports]         **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
+  - [ ] [:link:][step_finish_advisory]   **(Support)** Finish preparing the Security Advisory
+  - [ ] [:link:][step_meta_issue]        **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
+  - [ ] [:link:][step_changes]           **(QA)** (BIND 9 only) Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
+  - [ ] [:link:][step_merge_fixes]       **(QA)** Merge the CVE fixes in CVE identifier order
+  - [ ] [:link:][step_patches]           **(QA)** Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
+  - [ ] [:link:][step_asn_releases]      **(QA)** Prepare ASN releases (as outlined in the Release Checklist)
 
-  - [ ] Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches
+### At T-5
+
+  - [ ] [:link:][step_send_asn]          **(Support)** Send ASN to eligible customers
+  - [ ] [:link:][step_preannouncement]   **(Support)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
+
+### At T-4
+
+  - [ ] [:link:][step_verify_asn]        **(Support)** Verify that all ASN-eligible customers have received the notification email
+
+### At T-1
+
+  - [ ] [:link:][step_check_customers]   **(Support)** Verify that any new or reinstated customers have received the notification email
+  - [ ] [:link:][step_packager_emails]   **(First IM)** Send notifications to OS packagers
+
+### On the Day of Public Disclosure
+
+  - [ ] [:link:][step_clearance]         **(IM)** Grant Support clearance to proceed with public release
+  - [ ] [:link:][step_publish]           **(Support)** Publish the releases (as outlined in the release checklist)
+  - [ ] [:link:][step_matrix]            **(Support)** (BIND 9 only) Update vulnerability matrix in the Knowledge Base
+  - [ ] [:link:][step_publish_advisory]  **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base
+  - [ ] [:link:][step_notifications]     **(First IM)** Send notification emails to third parties
+  - [ ] [:link:][step_mitre]             **(First IM)** Advise MITRE about the disclosed CVEs
+  - [ ] [:link:][step_merge_advisory]    **(First IM)** Merge the Security Advisory merge request
+  - [ ] [:link:][step_embargo_end]       **(IM)** Inform original reporter (if external) that the security disclosure process is complete
+  - [ ] [:link:][step_customers]         **(Support)** Inform customers a fix has been released
+
+### After Public Disclosure
+
+  - [ ] [:link:][step_postmortem]        **(First IM)** Organize post-mortem meeting and make sure it happens
+  - [ ] [:link:][step_tickets]           **(Support)** Close support tickets
+  - [ ] [:link:][step_regression]        **(QA)** Merge a regression test reproducing the bug into all affected (and still maintained) branches
+
+[step_deputy]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
+[step_respond]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
+[step_etherpad]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-an-etherpad-for-post-mortem
+[step_public_mrs]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
+[step_assign_cve_id]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier
+[step_note_cve_info]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-and-the-cvss-score
+[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
+[step_workarounds]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
+[step_coordinate]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties
+[step_earliest]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-and-send-out-earliest-notifications
+[step_advisory_mr]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
+[step_reproducer_mr]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
+[step_notify_support]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
+[step_code_analysis]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem
+[step_fix_mr]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix
+[step_review_fix]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions
+[step_review_docs]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix
+[step_backports]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product
+[step_finish_advisory]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory
+[step_meta_issue]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle
+[step_changes]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-reserve-a-block-of-changes-placeholders-once-the-complete-set-of-vulnerabilities-fixed-in-a-given-release-cycle-is-determined
+[step_merge_fixes]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
+[step_patches]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
+[step_asn_releases]:      https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
+[step_send_asn]:          https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-asn-to-eligible-customers
+[step_preannouncement]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
+[step_verify_asn]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-all-asn-eligible-customers-have-received-the-notification-email
+[step_check_customers]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#verify-that-any-new-or-reinstated-customers-have-received-the-notification-email
+[step_packager_emails]:   https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
+[step_clearance]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-support-clearance-to-proceed-with-public-release
+[step_publish]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
+[step_matrix]:            https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-vulnerability-matrix-in-the-knowledge-base
+[step_publish_advisory]:  https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base
+[step_notifications]:     https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties
+[step_mitre]:             https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
+[step_merge_advisory]:    https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
+[step_embargo_end]:       https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
+[step_customers]:         https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-customers-a-fix-has-been-released
+[step_postmortem]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#organize-post-mortem-meeting-and-make-sure-it-happens
+[step_tickets]:           https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#close-support-tickets
+[step_regression]:        https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches

.gitlab/issue_templates/Release.md

@@ -52,7 +52,7 @@
 
  - [ ] ***(QA)*** Check that the formatting is correct for HTML and PDF versions of release notes.
  - [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- - [ ] ***(QA)*** Verify GitLab CI results for the tags created and prepare a QA report for the releases to be published.
+ - [ ] ***(QA)*** Verify GitLab CI results for the tags created and sign off on the releases to be published.
  - [ ] ***(QA)*** Update GitLab settings for all maintained branches to allow merging to them again.
  - [ ] ***(QA)*** Prepare and merge MRs resetting the release notes and updating the version string for each maintained branch.
  - [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
@@ -62,6 +62,7 @@
  - [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again.
  - [ ] ***(Support)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
  - [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages.
+ - [ ] ***(QA)*** Prepare the `patches/` subdirectory for each security release (if applicable).
  - [ ] ***(QA)*** Notify Support that the releases have been prepared.
  - [ ] ***(Support)*** Send out ASNs (if applicable).
 
@@ -87,7 +88,7 @@
  - [ ] ***(QA)*** Merge published release tags (non-linearly) back into the their relevant development/maintenance branches.
  - [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
  - [ ] ***(QA)*** Sanitize confidential issues which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
- - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint) by modifying the relevant `Dockerfile`.
+ - [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant `Dockerfile`.
 
 [^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
 [^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.