RFC notifications bot (May 18 2026 at 23:03): RFC notifications bot (May 18 2026 at 23:03):pchickey opened PR #48 from bytecodealliance:pch/vuln_runbook_updates to bytecodealliance:main:
Updates to the vulnerability response runbook:
- use CVSS instead of OpenSSL to determine severity
- wasmtime has a substantially different security backport policy
- minor capitalization and formatting fixes
RFC notifications bot (May 18 2026 at 23:06):pchickey updated PR #48.
RFC notifications bot (May 18 2026 at 23:09):pchickey requested TSC for a review on PR #48.
RFC notifications bot (May 19 2026 at 04:46)::thumbs_up: alexcrichton submitted PR review:
Looks reasonable to me, but I also think it's fine if we let the living document in our docs be the source fo truth rather than also updating here, too. Although maybe this could link to say the most up-to-date version is there too?
RFC notifications bot (May 19 2026 at 09:40)::thumbs_up: tschneidereit submitted PR review:
Looks good to me, too. Though I also agree with Alex that it might be better to just add a note here that the up-to-date version of the runbook lives elsewhere, since RFCs aren't really meant to be living documents (sorta for better and worse.)
RFC notifications bot (May 19 2026 at 09:40)::speech_balloon: tschneidereit created PR review comment:
It might make sense to leave out the details here, replacing them with more generic language about projects choosing and documenting their release support policy, and then committing to patching all supported releases. That could come with a link to Wasmtime's release process doc as an example.
RFC notifications bot (May 19 2026 at 17:12):I updated this because I went looking for the runbook and forgot that the living copy was in the wasmtime docs, so I filled out these fixes before I actually found the wasmtime one. Will close this and just insert a notice at the top to redirect to the living document.
RFC notifications bot (May 19 2026 at 17:12)::cross_mark: pchickey closed without merge PR #48.
Last updated: Jun 01 2026 at 09:49 UTC