Skip to content

Update vulnerability-response-runbook.md#48

Closed
pchickey wants to merge 2 commits into
mainfrom
pch/vuln_runbook_updates
Closed

Update vulnerability-response-runbook.md#48
pchickey wants to merge 2 commits into
mainfrom
pch/vuln_runbook_updates

Conversation

@pchickey
Copy link
Copy Markdown
Contributor

@pchickey pchickey commented May 18, 2026

Updates to the vulnerability response runbook:

  • use CVSS instead of OpenSSL to determine severity
  • wasmtime has a substantially different security backport policy
  • minor capitalization and formatting fixes

pchickey added 2 commits May 18, 2026 16:02
@pchickey
Update vulnerability-response-runbook.md
bf582b5 
Updates to the vulnerability response runbook: use CVSS instead of OpenSSL to determine severity,
@pchickey
add link to release process doc
e1c2bb4
@pchickey pchickey requested a review from a team May 18, 2026 23:09
alexcrichton
alexcrichton approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@alexcrichton alexcrichton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me, but I also think it's fine if we let the living document in our docs be the source fo truth rather than also updating here, too. Although maybe this could link to say the most up-to-date version is there too?

tschneidereit
tschneidereit approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@tschneidereit tschneidereit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, too. Though I also agree with Alex that it might be better to just add a note here that the up-to-date version of the runbook lives elsewhere, since RFCs aren't really meant to be living documents (sorta for better and worse.)

Comment thread accepted/vulnerability-response-runbook.md
Comment on lines +90 to +96
Wasmtime has committed that security issues will be applied to the current major
version of Wasmtime, the previous major version, and the previous two LTS releases
(i.e. those whose major version is divisible by 12). See the [Wasmtime LTS RFC]
for more details and [release process] docs for the current set of supported releases.

Other projects without an existing policy should do the same, unless they have
a very good reason for issuing backports.
[Wasmtime LTS RFC]: https://github.com/bytecodealliance/rfcs/blob/main/accepted/wasmtime-lts.md
[release process]: https://docs.wasmtime.dev/stability-release.html#release-process
Copy link
Copy Markdown
Member

@tschneidereit tschneidereit May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make sense to leave out the details here, replacing them with more generic language about projects choosing and documenting their release support policy, and then committing to patching all supported releases. That could come with a link to Wasmtime's release process doc as an example.

@pchickey
Copy link
Copy Markdown
Contributor Author

pchickey commented May 19, 2026

I updated this because I went looking for the runbook and forgot that the living copy was in the wasmtime docs, so I filled out these fixes before I actually found the wasmtime one. Will close this and just insert a notice at the top to redirect to the living document.

@pchickey pchickey closed this May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tschneidereit tschneidereit tschneidereit approved these changes

@alexcrichton alexcrichton alexcrichton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pchickey @tschneidereit @alexcrichton