Updates based on feedback for the triage process

Author: PushkarJ

sig-security/README.md

@@ -53,6 +53,7 @@ Development and Enhancements of Security Tooling
   - [kubernetes/community/sig-security/sig-security-tooling](https://github.com/kubernetes/community/blob/master/sig-security/sig-security-tooling/OWNERS)
 - **Contact:**
   - Slack: [#sig-security-tooling](https://kubernetes.slack.com/messages/sig-security-tooling)
+  - [Mailing List]([email protected])
 
 [subproject-definition]: https://github.com/kubernetes/community/blob/master/governance.md#subprojects
 <!-- BEGIN CUSTOM CONTENT -->

sig-security/sig-security-tooling/vulnerability-mgmt/build-time-dependencies.md

@@ -101,6 +101,10 @@ cat licenses-cves.json | jq '.vulnerabilities | .[] | select ((.type=="license")
 
 ### Example of filtered JSON scan result
 
+__Note__: Results of the filtered scan are not printed as part of the CI job. 
+However, the following historical scan result is mentioned here for 
+reference purposes only:
+
 <!-- markdownlint-disable MD033 -->
 <details><summary>Click to view result</summary>
 <!-- markdownlint-enable MD033 -->

sig-security/sig-security-tooling/vulnerability-mgmt/policy-for-vulnerability-resolution.md

@@ -13,13 +13,25 @@ is triggered to apply the fix to kubernetes or document the cause for not fixing
 
 ## Triage process
 
-|No.   |  Category |  Definition |  Resolution |
-|---|---|---|---|
-| 1  | False positive  |  k/k and vulnerable package is not impacted by this CVE | Open a Github issue and log the resolution  |
-| 2  | True positive but no impact  | Package version used in k/k is vulnerable, but k/k is not using the vulnerable code  | Open a Github issue and a PR to bump the dependency to the version with a fix. This fix will go in subsequent release of k/k  |
-| 3  | True positive with negligible impact  | Package version used in k/k is vulnerable, but k/k is using the vulnerable code, but the vulnerability does not apply as per k/k threat model  |  Open a Github issue that describes why this will have negligible impact with relevant compensatory controls. Also, open a PR to bump the dependency to the version with a fix. This fix will go in subsequent release of k/k |
-| 4  | True positive with impact  | Package version used in k/k is vulnerable, and k/k is using the vulnerable code  |  Open a Github issue, that assesses impact, modifies CVSS rating for k8s, if needed and suggest compensatory controls. Also, open a PR to bump the dependency and backport the fix up to n-2 k/k version |
-| 5  | Embargoed vulnerability  | No CVE ID is assigned so scanners do not detect it  |  Product Security Committee / Security Response Committee triages and follows existing process for embargoed CVEs |
+- The vulnerabilities are triaged in private, by members of
+  `[email protected]`
+- Membership to this group is restricted due to the confidential nature of the
+  responsibilities
+- Once a vulnerability is found through automation, the group members get
+  notified via an email about it
+- One of the group members then triages this vulnerability and classifies it
+  into one of the following categories:
+
+  |No.   |  Category |  Definition |  Resolution |
+     |---|---|---|---|
+  | 1  | False positive  |  k/k and vulnerable package is not impacted by this CVE | Open a Github issue and log the resolution  |
+  | 2  | True positive but no impact  | Package version used in k/k is vulnerable, but k/k is not using the vulnerable code  | Open a Github issue and a PR to bump the dependency to the version with a fix. This fix will go in subsequent release of k/k  |
+  | 3  | True positive with negligible impact  | Package version used in k/k is vulnerable, but k/k is using the vulnerable code, but the vulnerability does not apply as per k/k threat model  |  Open a Github issue that describes why this will have negligible impact with relevant compensatory controls. Also, open a PR to bump the dependency to the version with a fix. This fix will go in subsequent release of k/k |
+  | 4  | True positive with impact  | Package version used in k/k is vulnerable, and k/k is using the vulnerable code  |  Open a Github issue, that assesses impact, modifies CVSS rating for k8s, if needed and suggest compensatory controls. Also, open a PR to bump the dependency and backport the fix up to n-2 k/k version |
+  | 5  | Embargoed vulnerability  | No CVE ID is assigned so scanners do not detect it  |  Product Security Committee / Security Response Committee triages and follows existing process for embargoed CVEs |
+
+- Once the category is identified, the resolution is triggered manually by the
+  member triaging the vulnerability.
 
 ## Examples
 

sigs.yaml

@@ -2158,6 +2158,7 @@ sigs:
     description: Development and Enhancements of Security Tooling
     contact:
       slack: sig-security-tooling
+      mailing_list: [email protected]
     owners:
     - https://raw.githubusercontent.com/kubernetes/community/master/sig-security/sig-security-tooling/OWNERS
 - dir: sig-service-catalog