The Volcano project has adopted this security disclosure and response policy to ensure responsible handling of critical issues.
Security vulnerabilities should be handled quickly and sometimes privately. The primary goal of this process is to reduce the total time users are vulnerable to publicly known exploits.
The Product Security Team (PST) is responsible for organizing the entire response including internal communication and external disclosure.
The initial Product Security Team will consist of all maintainers in the private volcano-security list. In the future we may decide to have a subset of maintainers work on security response given that this process is time consuming.
If you find a security vulnerability or any security related issues, please DO NOT file a public issue. Do not create a Github issue. Instead, send your report privately to volcano-security@googlegroups.com. Security reports are greatly appreciated and we will publicly thank you for it.
Please provide as much information as possible, so we can react quickly. For instance, that could include:
If you know of a publicly disclosed security vulnerability please IMMEDIATELY email volcano-security@googlegroups.com to inform the Product Security Team (PST) about the vulnerability so we start the patch, release, and communication process.
If possible the PST will ask the person making the public report if the issue can be handled via a private disclosure process (for example if the full exploit details have not yet been published). If the reporter denies the request for private disclosure, the PST will move swiftly with the fix and release process. In extreme cases you can ask GitHub to delete the issue but this generally isn't necessary and is unlikely to make a public disclosure less damaging.
For each vulnerability a member of the PST will volunteer to lead coordination with the "Fix Team" and is responsible for sending disclosure emails to the rest of the community. This lead will be referred to as the "Fix Lead."
The role of Fix Lead should rotate round-robin across the PST.
Note that given the current size of the Volcano community it is likely that the PST is the same as the "Fix team." The PST may decide to bring in additional contributors for added expertise depending on the area of the code that contains the vulnerability.
All of the timelines below are suggestions and assume a Private Disclosure. If the Team is dealing with a Public Disclosure all timelines become ASAP. If the fix relies on another upstream project's disclosure timeline, that will adjust the process as well. We will work with the upstream project to fit their timeline and best protect our users.
These steps should be completed within the first 24 hours of disclosure.
These steps should be completed within the 1-7 days of Disclosure.
If the CVSS score is under 4.0 (a low severity score) the Fix Team can decide to slow the release process down in the face of holidays, developer bandwidth, etc. These decisions must be discussed on the volcano-security mailing list.
With the Fix Development underway the Volcano Security Team needs to come up with an overall communication plan for the wider community. This Disclosure process should begin after the Team has developed a fix or mitigation so that a realistic timeline can be communicated to users.
Disclosure of Forthcoming Fix to Users (Completed within 1-7 days of Disclosure)
The communication to users should be actionable. They should know when to block time to apply patches, understand exact mitigation steps, etc.
Optional Fix Disclosure to Private Distributors List (Completed within 1-14 days of Disclosure):
Fix Release Day (Completed within 1-21 days of Disclosure)
This list is intended to be used primarily to provide actionable information to multiple distributor projects at once. This list is not intended for individuals to find out about security issues.
The information members receive on volcano-distributors-announce@lists.cncf.io must not be made public, shared, nor even hinted at anywhere beyond the need-to-know within your specific team except with the list's explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. Members of the list and others may not use the information for anything other than getting the issue fixed for your respective distribution's users.
Before any information from the list is shared with respective members of your team required to fix said issue, they must agree to the same terms and only find out information on a need-to-know basis.
In the unfortunate event you share the information beyond what is allowed by this policy, you must urgently inform the volcano-security@googlegroups.com mailing list of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to prevent making the same mistake in the future.
If you continue to leak information and break the policy outlined here, you will be removed from the list.
This is a team effort. As a member of the list you must carry some water. This could be in the form of the following:
Technical
Administrative
To be eligible for the volcano-distributors-announce@lists.cncf.io mailing list, your distribution should:
New membership requests are sent to volcano-security@googlegroups.com.
In the body of your request please specify how you qualify and fulfill each criterion listed in Membership Criteria.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。