do not commit me: this is for WIP

Signed-off-by: Mahe Tardy <[email protected]>

Author: mtardy

sig-security-tooling/src/templates/email.md

@@ -0,0 +1,84 @@
+_Use this email template for publicly disclosing security vulnerabilities._
+
+_The email should be **concise** and **actionable**. Assume the audience are not
+Kubernetes developers. Non-actionable information (e.g. technical discussion of
+the vulnerability) should be deferred to the [vulnerability
+issue](vulnerability-announcement-issue.md)._
+
+TO: `[email protected], [email protected], [email protected], [email protected], [email protected]`
+
+SUBJECT: `[Security Advisory] $CVE: $SUMMARY`
+
+_A separate email should be sent for `[email protected]`, with `[kubernetes]` in the subject:_
+
+TO: `[email protected]`
+
+SUBJECT: `[kubernetes] $CVE: $SUMMARY`
+
+_A separate email should be sent to the forum from the `[email protected]` Google group and cc `[email protected]`:_
+
+TO: `[email protected]`
+cc: `[email protected]`
+
+SUBJECT: `[Security Advisory] $CVE: $SUMMARY`
+
+_See [Fix disclosure process](security-release-process.md#fix-disclosure-process) for additional places the announcement should be posted._
+
+---
+
+Hello Kubernetes Community,
+
+A security issue was discovered in Kubernetes where $ACTOR may be able to $DO_SOMETHING.
+
+This issue has been rated **$SEVERITY** (link to CVSS calculator https://www.first.org/cvss/calculator/3.1) (optional: $SCORE), and assigned **$CVE_NUMBER**
+
+### Am I vulnerable?
+
+_How to determine if a cluster is impacted. Include:_
+- _Vulnerable configuration details_
+- _Commands that indicate whether a component, version or configuration is used_
+
+#### Affected Versions
+
+- $COMPONENT $VERSION_RANGE_1
+- $COMPONENT $VERSION_RANGE_2 ...
+- ...
+
+### How do I mitigate this vulnerability?
+
+_(If additional steps required after upgrade)_
+**ACTION REQUIRED:** The following steps must be taken to mitigate this vulnerability: ...
+
+_(If possible):_ Prior to upgrading, this vulnerability can be mitigated by ...
+
+#### Fixed Versions
+
+- $COMPONENT $VERSION
+- $COMPONENT $VERSION
+- ...
+
+_(If fix has side effects)_ **Fix impact:** details of impact.
+
+To upgrade, refer to the documentation: ... ($COMPONENT upgrade documentation)
+
+_For core Kubernetes:_ https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/
+
+### Detection
+
+_How can exploitation of this vulnerability be detected?_
+
+If you find evidence that this vulnerability has been exploited, please contact [email protected]
+
+#### Additional Details
+
+See the GitHub issue for more details: $GITHUBISSUEURL
+
+#### Acknowledgements
+
+This vulnerability was reported by $REPORTER.
+
+_(optional):_ The issue was fixed and coordinated by $FIXTEAM and $RELEASE_MANAGERS.
+
+Thank You,
+
+$PERSON on behalf of the Kubernetes Security Response Committee

sig-security-tooling/src/templates/issue.md

@@ -0,0 +1,71 @@
+_Use this issue template for filling out CVE placeholder issues._
+
+TITLE: `CVE-####-######: $SUMMARY`
+
+---
+
+<!-- Copy URL after # as the link text -->
+CVSS Rating: [CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
+
+_Description of vulnerability_
+
+<!-- Copy these sections from the announcement email -->
+
+### Am I vulnerable?
+
+_How to determine if a cluster is impacted. Include:_
+- _Vulnerable configuration details_
+- _Commands that indicate whether a component, version or configuration is used_
+
+#### Affected Versions
+
+- $COMPONENT $VERSION_RANGE_1
+- $COMPONENT $VERSION_RANGE_2 ...
+- ...
+
+### How do I mitigate this vulnerability?
+
+_(If additional steps required after upgrade)_
+**ACTION REQUIRED:** The following steps must be taken to mitigate this
+vulnerability: ...
+
+_(If possible):_ Prior to upgrading, this vulnerability can be mitigated by ...
+
+#### Fixed Versions
+
+<!-- Add links to PRs & main/master branch -->
+- $COMPONENT main/master - fixed by #12345678
+- ...
+
+_(If fix has side effects)_ **Fix impact:** details of impact.
+
+To upgrade, refer to the documentation: ... ($COMPONENT upgrade documentation)
+
+_For core Kubernetes:_ https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade
+
+### Detection
+
+_How can exploitation of this vulnerability be detected?_
+
+If you find evidence that this vulnerability has been exploited, please contact [email protected]
+
+## Additional Details
+
+_Optional details:_
+- Vulnerability background
+- Technical explanation of vulnerability and/or fix
+- Reproduction steps (avoid disclosing unnecessary details)
+
+#### Acknowledgements
+
+This vulnerability was reported by $REPORTER.
+
+_(optional):_ The issue was fixed and coordinated by $FIXTEAM and $RELEASE_MANAGERS.
+
+<!-- labels -->
+/area security
+/kind bug
+/committee security-response
+/label official-cve-feed
+/sig $RELEVANT_SIGS
+/area $IMPACTED_COMPONENTS

sig-security-tooling/src/templates/placeholder-issue.md

@@ -0,0 +1,11 @@
+_Use this issue template for filing CVE placeholder issues._
+
+TITLE: PLACEHOLDER ISSUE
+
+---
+
+/triage accepted
+/lifecycle frozen
+/area security
+/kind bug
+/committee security-response

sig-security-tooling/src/templates/slack.md

@@ -0,0 +1,17 @@
+_Use this slack message template for publicly disclosing security vulnerabilities on slack._
+
+_This message should be posted to the `#announcements` channel, which requires special permissions._
+
+---
+
+The Security Response Committee has posted a security advisory for $COMPONENT that $SUMMARY. This
+issue has been rated **$SEVERITY** and assigned **$CVE**. Please see $ISSUE for more details.
+
+---
+
+_Example_
+
+The Security Response Committee has posted a security advisory for the kube-apiserver that could
+allow node updates to bypass a Validating Admission Webhook. This issue has been rated **Medium**
+and assigned **CVE-2021-25735**. Please see https://github.com/kubernetes/kubernetes/issues/100096
+for more details.

sig-security-tooling/srctl/.gitignore

@@ -1 +1 @@
-CVE*
+CVE*