|
|
|
|
|
|
by spiffxp
2755 days ago
|
|
|
I was part of the Kubernetes v1.13 release team, though not part of the team that produced this fix. The project's Product Security Team adhered to the timeline indicated in the project's security release process: https://github.com/kubernetes/sig-release/blob/master/securi... tl;dr a fix is (edit: optionally) sent out to a private distributors list under embargo within 2 weeks of disclosure, and public disclosure (with new releases) happens within 3 weeks of disclosure (with some discretion for timing to make sure it's not buried in a weekend or off-hours) I can't speak to who knew about it when outside of the project, but I know the project acted expediently once the vulnerability was disclosed. |
|
|
(Also, aside, props to everyone that got this rolled out so fast at the major providers.)