postmortem-template.md

Slimmed down template from: Betsy Beyer, Chris Jones, Jennifer Petoff, and Niall Richard Murphy. “Site Reliability Engineering.”, modified from https://raw.githubusercontent.com/dastergon/postmortem-templates/master/templates/postmortem-template-srebook.md.

Follow the SRE link for examples of how to populate.

A PR should be opened with postmortem placed in security/postmortems/cve-year-abcdef.md. If there are multiple CVEs in the postmortem, populate each alias with the string "See cve-year-abcdef.md".

Security postmortem for CVE-YEAR-ABCDEF, CVE-YEAR-ABCDEG

Incident date(s)

YYYY-MM-DD (as a date range if over a period of time)

Authors

@foo, @bar, ...

Status

Draft | Final

Summary

A few sentence summary.

CVE issue(s)

https://github.com/envoyproxy/envoy/issues/${CVE_ISSUED_ID}

Root Causes

What defect in Envoy led to the CVEs? How did this defect arise?

Resolution

How was the security release process followed? How were the fix patches structured and authored?

Detection

How was this discovered? Reported by XYZ, found by fuzzing? Private or public disclosure?

Action Items

Create action item issues and include in their body "Action item for CVE-YEAR-ABCDEF". Modify the search string below to include in the PR:

https://github.com/envoyproxy/envoy/issues?utf8=%E2%9C%93&q=is%3Aissue+%22Action+item+for+CVE-YEAR-ABCDEF%22

Lessons Learned

What went well

What went wrong

Where we got lucky

Timeline

All times US/Pacific

YYYY-MM-DD

• HH:MM Cake was made available
• HH:MM People ate the cake

YYYY-MM-DD

• HH:MM More cake was available
• HH:MM People ate more cake

Supporting information