Communication Templates
This section contains reference templates for communication used in Vulnerability Management Process.
All the messages should be sent in plain text (may be encrypted if desired) without HTML content.
Reception confirmation email
Message should be signed.
Please double check to not include content of the original bug report in plain text.
Reception confirmation email
Dear {reporter},
Thank you for your report.
We confirm reception of your report. We still did not classified your report but we would like to ensure you that we are looking into this.
We have created a private security issue in JIRA to track this issue:
{jira_issue_url}
If you would like to participate in this ticket please provide us your JIRA username.
We will provide you update on your report status as soon as possible.
--
Thanks
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Triage confirmation email
Message should be signed.
Triage confirmation email
Dear {reporter},
This issue has been confirmed as a security vulnerability in { project }.
The initially assign severity level is: {severity level}.
Please let us know if you disagree with our assessment.
We would like to get it fixed under the ONAP embargoed security vulnerability process.
Please do not discuss or disclose details about this flaw prior to the agreed disclosure date (TBA).
All decisions, discussions, and proposed patches and reviews are to be done via this tracking issue:
{jira_issue_url}
In general we will request for a CVE number for every confirmed security vulnerability to ensure full traceability.
Please let us know if you have already obtained a CVE number for this issue in order to avoid duplicates.
--
Thanks
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Coordinated disclosure
Message should be signed.
Coordinated disclosure
Dear {reporter},
We have developed a patch that fixes the reported issue.
The allocated CVE number is: {CVE id}
Now we are approaching final step of our process which is coordinated disclosure.
We scheduled the publication date to {publication date}.
Please contact us immediately if you would like us to modify the disclosure date.
Thank you very much for following responsible disclosure model.
--
{onap_vulnerability_ sub-committee _member},
on behalf of the ONAP vulnerability sub-committee
Impact description
Impact description
Downstream stakeholders notification email
Message should be signed.
Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE)
Downstream stakeholders notification email
Security issue available in public (not reported privately)
Message should be signed.
Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE) has been disclosed
Downstream stakeholders notification email
Security issue available in public (reported privately)
Message should be signed.
Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE) has been leaked
Downstream stakeholders notification email
ONAP Security Advisories (OSA)
Message should be signed.
Subject: [pre-OSA] Vulnerability in ONAP $PROJECT ($CVE)
$CVE must always be of the form CVE-YYYY-XXXX
$NUM is of the form YYYY-XX