-
Notifications
You must be signed in to change notification settings - Fork 808
DOC Add security release review process #2216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,6 +11,23 @@ Follow the instructions according to the order provided. | |
|
|
||
| Before starting the release process, verify the codebase is in a healthy state. | ||
|
|
||
| ### Required Release Reviews | ||
|
|
||
| Use the existing release work item to record: | ||
|
|
||
| - Release owner and target version | ||
| - Links to the UI, documentation, and release notes | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this for deployed customer-facing products? Otherwise, what would be a link to the UI? |
||
| - One reviewer each for development, security, content publishing, and user experience | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ... and what do those reviews entail? Are these people on the team? Or others? If so, what's the SLA? |
||
|
|
||
| | Checkpoint | Timing | Completion criteria | | ||
| |---|---|---| | ||
| | Scope freeze | Before release testing | Reviewers assess planned customer-facing changes. Security and compatibility findings are linked and assigned. | | ||
| | Final release candidate | Immediately before publishing | Reviewers approve the final UI, documentation, and release notes. High-priority findings are resolved or covered by an approved customer disclosure. | | ||
|
|
||
| Do not publish until all final approvals, including reviewer names and dates, are | ||
| recorded in the release work item. Store details about security vulnerabilities that | ||
| have not yet been publicly disclosed only in the approved private security system. | ||
|
|
||
| - **Check for pending changes.** Ask other PyRIT maintainers whether they have any in-flight changes that should land before the release. | ||
| - **Verify build pipelines.** Confirm that all integration tests and end-to-end tests are passing in the CI pipelines. If any tests are failing, fix them before proceeding. | ||
| - **Partner integration tests.** Ensure the partner integration tests are also passing. These tests validate that we are not breaking contracts with partner teams (e.g., Foundry). If any are failing, coordinate with the affected partner teams before proceeding with the release. | ||
|
|
@@ -254,6 +271,16 @@ since `downgrade()` risks data loss. | |
|
|
||
| ## 10. Publish to PyPI | ||
|
|
||
| Before publishing, complete and retain this checklist in the release work item: | ||
|
|
||
| - [ ] Technical reviews of the final customer-facing content and UI are complete, and all high-priority feedback is resolved or has an approved disposition. | ||
| - [ ] Scope-freeze and final-release-candidate reviews are recorded. | ||
| - [ ] The final development, content publishing, security, and user experience approvals are recorded with reviewer names and dates. | ||
| - [ ] Release notes contain the required security and compatibility disclosures described in step 12, including explicit "None known" statements where applicable. | ||
| - [ ] Links to review evidence and the final approved artifacts are retained in the release work item. | ||
|
|
||
| Do not publish the package until every item is complete. | ||
|
|
||
| Create an account on pypi.org if you don't have one yet. | ||
| Ask one of the other maintainers to add you to the `pyrit` project on PyPI. | ||
|
|
||
|
|
@@ -290,11 +317,30 @@ Make sure that it starts where the last release left off. | |
| Sometimes this tool adds too many changes, or leaves a few out, so it's best to check. | ||
| Be sure to check and update the new contributors as well. | ||
| Add a header "## Full list of changes" below "## What's changed?". | ||
| In addition to the full notes, we also want a shorter section with just the relevant | ||
| changes that users should be aware of. The shorter section will be under "## What's changed" | ||
| while the full list of changes will be right below. | ||
| Maintenance changes, build pipeline updates, and documentation fixes are not really important for users. | ||
| However, important bug fixes, new features, and breaking changes are good candidates to include. | ||
| Under "## What's changed", summarize the important bug fixes and features that | ||
| customers should know about. Maintenance changes, build pipeline updates, and routine | ||
| documentation fixes can remain in the full list only. | ||
|
|
||
| Every release must include these customer-facing sections before "## Full list of changes": | ||
|
|
||
| ```markdown | ||
| ## Security | ||
|
|
||
| Describe security fixes and any known high-priority security issues that customers | ||
| must consider, including affected versions and recommended actions. If there are no | ||
| known issues to disclose, write "No known high-priority security issues." | ||
|
|
||
| ## Breaking changes and compatibility | ||
|
|
||
| Describe breaking changes, backward-compatibility issues, affected versions, and | ||
| migration or mitigation steps. If there are none, write "No known breaking changes | ||
| or backward-compatibility issues." | ||
| ``` | ||
|
|
||
| Coordinate the wording of security issues that have not yet been publicly disclosed | ||
| with the security reviewer and MSRC. Do not publish vulnerability details before their | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This seems like a bit much... Who is our MSRC contact? |
||
| approved publication date. Confirm in the release work item that these sections match | ||
| the final reviewed content and UI. | ||
| If you are unsure about whether to include certain changes please consult with your fellow | ||
| maintainers. | ||
| When you're done, hit "Publish release" and mark it as the latest release. | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # Security | ||
|
|
||
| Microsoft takes the security of PyRIT seriously. | ||
|
|
||
| If you believe you have found a security vulnerability, **do not report it through a | ||
| public GitHub issue**. Submit it privately to the | ||
| [Microsoft Security Response Center](https://aka.ms/security.md/msrc/create-report). | ||
| The repository's [security policy](https://github.com/microsoft/PyRIT/security/policy) | ||
| describes alternative reporting methods, the information to include, and Microsoft's | ||
| coordinated vulnerability disclosure policy. | ||
|
|
||
| Review the [PyRIT release notes](https://github.com/microsoft/PyRIT/releases) for | ||
| customer-facing security notices, known high-priority security issues, breaking | ||
| changes, and compatibility guidance for each release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the existing release work item?