...
| Code Block |
|---|
| language | text |
|---|
| title | Downstream stakeholders notification email |
|---|
|
This is an advance warning of a vulnerability discovered in
ONAP, to give you, as downstream stakeholders, a chance to
coordinate the release of fixes and reduce the vulnerability window.
Please treat the following information as confidential until the
proposed public disclosure date.
$DESCRIPTION
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these
patches will be merged to their corresponding branches on the public
disclosure date.
CVE: $CVE
Proposed public disclosure date/time:
$DISCLOSURE, 1400UTC
Please do not make the issue public (or release public patches)
before this coordinated embargo date.
Original private report:
{jira_issue_url}
For access to read and comment on this report, please reply to me
with your jira username and I will subscribe you.
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
|
ONAP Security Advisories (OSA)
Message should be signed.
- Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE)
- $CVE must always be of the form CVE-YYYY-XXXX
- $NUM is of the form YYYY-XX
| Code Block |
|---|
| language | text |
|---|
| title | ONAP security advisories (OSA) |
|---|
|
date: YYYY-MM-DD
id: OSA-$NUM
title: '$TITLE'
description: '$DESCRIPTION'
affected-products:
- product: $PROJECT
version: $AFFECTED_VERSIONS
vulnerabilities:
- cve-id: $CVE
reporters:
- name: '$CREDIT'
affiliation: $CREDIT_AFFILIATION
reported:
- $CVE
issues:
links:
- {jira_issue_url}
reviews:
$BRANCH:
- {link to gerrit review}
type: gerrit
notes:
- 'Optional note such as cross project version requirements' |