SIG-Security holds weekly triage on Mondays. High priority issues can be triaged via Discord as and when required.
The standard O3DE triage guide should be used to cover process for accepting issues and setting standard labels.
Brief overview of process for maintainers:
- Ensure issue can be accepted by SIG.
- Remove the
needs-triagelabel and addtriage-acceptedlabel - Set a priority
- Remove the
- Or assign a reviewer/maintainer to reproduce, get more information or followup on issue.
- O3DE issues to triage for SIG: https://github.com/o3de/o3de/issues?q=is%3Aissue+is%3Aopen+label%3Aneeds-triage+label%3Asig%2Fsecurity
- O3DE known security issues: https://github.com/o3de/o3de/issues?q=is%3Aissue+is%3Aopen+label%3Akind%2Fsecurity
- Dependabot alerts to check (link only accessible to SIG-Security maintainers): https://github.com/o3de/o3de/security/dependabot
- For new alerts, create new GitHub issues against O3DE and tag with
kind\securitylabel for tracking.
- For new alerts, create new GitHub issues against O3DE and tag with
- Ensure issues have the label
kind\securityset on them. SIG security uses this label to find issues assigned to other SIGs. - SIG-Security should only own issues for code areas SIG-Security maintains (see charter for areas of ownership) or actively intends to work on.
If an issue has a CVE/NVD score associated with it then use the following table to set priorities. This table maps NVS CSVS V3 scores to O3DE issue priorities.
| CVSS/NVD Range | CVSS 3.0 Issue Priority | O3DE Issue Priority |
|---|---|---|
| 9.0 - 10.0 | Critical | Blocker |
| 7.0 - 8.9 | High | Critical |
| 4.0 - 6.9 | Medium | Major |
| 0.1 - 3.9 | Low | Minor |
| 0.0 | None | No Priority |
The O3DE issue priority is only a guide and where we should start the discussion of the issue with the SIG that owns the code. The owning SIG should work out if the vulnerability is applicable to O3DE and can propose change of issue priority.