Skip to content

DOC Add security release review process#2216

Open
hannahwestra25 wants to merge 3 commits into
microsoft:mainfrom
hannahwestra25:hannahwestra25-document-security-release-reviews
Open

DOC Add security release review process#2216
hannahwestra25 wants to merge 3 commits into
microsoft:mainfrom
hannahwestra25:hannahwestra25-document-security-release-reviews

Conversation

@hannahwestra25

@hannahwestra25 hannahwestra25 commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Description

Adds the customer-facing security links and release governance needed to address the documented partial-compliance gaps:

  • links the public security policy from the README, documentation navigation, and CoPyRIT sidebar
  • adds a public documentation page covering private vulnerability reporting and release security notices
  • requires security, content publishing, UX, and development reviews at scope freeze and final release candidate
  • adds a final release checklist with named, dated approvals and retained evidence
  • requires every GitHub release to disclose known high-priority security issues and breaking or backward-compatibility issues, including explicit "none known" statements
  • keeps details about security vulnerabilities that have not yet been publicly disclosed in the approved private security system

Tests and Documentation

  • npm test -- --runInBand src/components/Sidebar/Navigation.test.tsx
  • npm run type-check
  • npx eslint src/components/Sidebar/Navigation.tsx src/components/Sidebar/Navigation.test.tsx --max-warnings 0
  • jupyter-book build --html

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: 485d2633-734b-4ee0-a849-f9adeaf3a9bd
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: 485d2633-734b-4ee0-a849-f9adeaf3a9bd
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: 485d2633-734b-4ee0-a849-f9adeaf3a9bd
@hannahwestra25
hannahwestra25 marked this pull request as ready for review July 16, 2026 21:18
@hannahwestra25 hannahwestra25 changed the title [DRAFT] DOC Add security release review process DOC Add security release review process Jul 16, 2026

@romanlutz romanlutz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we start with this post-v1?


### Required Release Reviews

Use the existing release work item to record:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the existing release work item?

Use the existing release work item to record:

- Release owner and target version
- Links to the UI, documentation, and release notes

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this for deployed customer-facing products? Otherwise, what would be a link to the UI?


- Release owner and target version
- Links to the UI, documentation, and release notes
- One reviewer each for development, security, content publishing, and user experience

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... and what do those reviews entail? Are these people on the team? Or others? If so, what's the SLA?

```

Coordinate the wording of security issues that have not yet been publicly disclosed
with the security reviewer and MSRC. Do not publish vulnerability details before their

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a bit much... Who is our MSRC contact?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants