Skip to content

GA: CVE intake / PSIRT activation + 1.x support-window declaration #753

Description

@justinjoy

Why (block)

A library declaring 1.0 stable API takes on a public security-
response obligation. #687 (GA Epic) does not list a CVE intake
process, a PSIRT (Product Security Incident Response Team)
activation, or a documented support-window for 1.x.

Without these:

  • Downstream embedders cannot file a CVE responsibly (no
    intake address, no PGP key for encrypted disclosure).
  • The wirelog project cannot triage incoming reports
    consistently.
  • "How long is 1.x supported" is undefined; CVE backports
    have no scope.

Scope

  • PSIRT contact:
    • Designate a security contact email (e.g.,
      security@cleverplant.com or a project-mailbox).
    • Publish in SECURITY.md (cross-ref Blocker B11: SECURITY.md rewritten #698 B11).
    • Optional: publish a project PGP key for encrypted
      disclosure.
  • CVE intake process:
    • Document the disclosure timeline in SECURITY.md:
      acknowledgement window, fix window, public-disclosure
      window.
    • Establish CVE-ID requesting (via GitHub's CNA, or
      cve.mitre.org).
  • 1.x support window:
    • Declare the duration: e.g., 1.x supported for 18 months
      after 1.0 GA (or 12 months after 2.0 GA, whichever
      later). Document in docs/SUPPORT_POLICY.md (new) or
      extend README.md.
    • Define what "supported" means: bug fixes, CVE backports,
      no new features.
    • Define LTS designation if any (e.g., 1.0.x is LTS
      through 2026-12).

Acceptance

  • SECURITY.md documents the PSIRT contact, the disclosure
    procedure, and the supported version table.
  • docs/SUPPORT_POLICY.md (or equivalent) declares the 1.x
    support window.
  • README.md's supported-versions table cross-links the
    policy.

Cross-ref: #687, #698 B11, #684, #701.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions