Goal
This initiative is focused on resolving the open OCM CVE JIRAs with a due date before December 15th.
As of 1 August 2024, there are 158 unresolved trackers that are past due. Engineering and ProdSec leadership have agreed on a 4 month window, by 15 December 2024, to resolve these past-due trackers across the entire portfolio.
As part of this effort, it would also be nice to have a document outlining how to triage and resolve CVEs within OCM. Since we have numerous components, we need to determine:
- which OCM components include the dependency the CVE was reported in.
- If the component is vulnerable to the CVE
- If a fix is available to resolve the CVE
Benefit Hypothesis:
- Ensure that teams can better manage newly identified CVE’s going forward without the extra noise.
- Unresolved CVEs can also become an escalation point with customers since affected product versions show as “affected” with no fix on our CVE pages. This erodes customer trust and is time-consuming for internal teams
- Ensure that OCM is as secure as possible.
Resources
Responsibilities
All OCM teams
Success Criteria
- Remediations for all CVEs due before Dec 15th
- Documentation describing how to triage and remediate OCM CVEs
- Plan for how to continue addressing CVEs in the future
Results
Add results here once the Initiative is started. Recommend discussions & updates once per quarter in bullets.