From be6bffd6e7e00463a14eaa1f975f63121d32407f Mon Sep 17 00:00:00 2001 From: charlie ablett Date: Wed, 10 Apr 2019 00:10:31 +0000 Subject: [PATCH] Correct slightly conflicting information regarding security processes for developers --- general/security/developer.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/general/security/developer.md b/general/security/developer.md index d85480b6..33d2be9b 100644 --- a/general/security/developer.md +++ b/general/security/developer.md @@ -20,7 +20,9 @@ the vulnerability. In this case, it should be a confidential issue on [gitlab.com]. Once a security issue is assigned to a developer, we follow the same merge -request and code review process as any other change, but on [dev.gitlab.org]. +request and code review process as any other change, but on [dev.gitlab.org]. +Create a merge request on `dev.gitlab.org` using the `Security Release` template +and follow the directions given there. All security fixes are released for [at least three monthly releases], and you will be responsible for creating backports as well. @@ -39,7 +41,7 @@ post-deployment patch process. disclosure. - [Create a new issue on org](https://dev.gitlab.org/gitlab/gitlabhq/issues/new?issuable_template=Security+developer+workflow) using the [Security Developer Workflow] template. - Security vulnerabilities that exist in **both** CE and EE should be fixed in - the [CE project on org](https://dev.gitlab.org/gitlab/gitlabhq). + the [CE project on org](https://dev.gitlab.org/gitlab/gitlabhq) **and** there needs to be a corresponding MR in EE. - Security vulnerabilities that exist only in EE should be fixed in the [EE project on org](https://dev.gitlab.org/gitlab/gitlab-ee). - Security vulnerabilities that exist in Omnibus should be fixed in the [Omnibus -- GitLab