Table of Contents generated with DocToc

Security workflow skill family

End-to-end automation for an ASF project’s security-issue handling process — from inbound report on the project’s security@ mailing list through to a published CVE record on cve.org. Nine skills that compose into the canonical 16-step lifecycle, plus one read-only supporting skill for tracker-stats dashboards.

Why a framework skill family? The 16-step process exists across the foundation; every project’s security team runs essentially the same workflow with project-specific scope labels, mailing-list addresses, milestone formats, and canned-response wording. Lifting the workflow into a project-agnostic framework lets each adopter plug their specifics into <project-config>/ and reuse the skills verbatim.

Skills

Lifecycle skills

SkillPurpose
security-issue-importImport new reports from <security-list> into <tracker>.
security-issue-import-from-prOpen a tracker for a security-relevant fix opened as a public PR.
security-issue-import-from-mdBulk-import findings from a markdown report.
security-issue-triagePropose an initial-triage disposition (VALID / DEFENSE-IN-DEPTH / INFO-ONLY / INVALID / PROBABLE-DUP / FIX-ALREADY-PUBLIC) for each tracker still in Needs triage; opens a discussion comment, never flips the label.
security-issue-syncReconcile a tracker against its mail thread, fix PR, release train, and archives.
security-cve-allocateAllocate a CVE for a tracker (Vulnogram URL + paste-ready JSON).
security-issue-fixImplement the fix as a public PR in <upstream>.
security-issue-deduplicateMerge two trackers describing the same root-cause vulnerability.
security-issue-invalidateClose a tracker as invalid with a polite-but-firm reporter reply.

Supporting tools

SkillPurpose
security-tracker-stats-dashboardGenerate a self-contained HTML dashboard of <tracker> repo statistics (lifecycle bands, opened-vs-untriaged backlog, mean time to triage / first response / fix). Read-only — never modifies tracker state.

Deep documentation

  • process.md — the 16-step lifecycle with Mermaid diagram + per-step description; the label lifecycle state diagram + label reference table. The authoritative process reference.
  • roles.md — who owns which steps (issue triager / remediation developer / release manager), the shared conventions every role observes (keeping the reporter informed, recording status transitions, confidentiality), and the role-by-role workflow walkthroughs.
  • how-to-fix-a-security-issue.md — hands-on guide for a remediation developer picking up a CVE-allocated tracker and shipping the fix.
  • new-members-onboarding.md — onboarding for a new security-team member: tracker access, mail list subscription, expected reading, first triage shadow.
  • threat-model.md — release-blocking threat model for the security skill family: trust boundaries, adversary personas, STRIDE matrix per skill, mitigation cross- reference, residual risk, and the re-audit cadence.
  • forwarder-routing-policy.md — when a tracker has no direct reporter contact (ASF-relay, read-only GHSA, anonymous tip), the skills route reporter-facing communication through the forwarder. The policy defines when that mode applies, the milestone list (events that do get relayed), and the negative list (events that don’t — including credit-confirmation questions and regular workflow status).

Adopter contract

The skills resolve project-specific content from the security- workflow files in <project-config>/ — see the adopter scaffold’s README.md for the file-by-file index. Required at minimum:

  • project.md — identity, repos, mailing lists, tools
  • canned-responses.md — reporter-facing reply templates
  • scope-labels.md — scope label → CVE product mapping
  • release-trains.md — release-manager attribution
  • title-normalization.md — CVE-title regex cascade

Optional but commonly needed: milestones.md, fix-workflow.md, security-model.md, naming-conventions.md.

Cross-references