]>
Commit | Line | Data |
---|---|---|
20effc67 TL |
1 | # Security Policy |
2 | ||
3 | The information below, as well as information about past | |
4 | vulnerabilities, can be found at | |
5 | ||
6 | https://docs.ceph.com/en/latest/security/ | |
7 | ||
8 | ## Supported Versions | |
9 | ||
10 | A new major Ceph release is made every year, and security and bug fixes | |
11 | are backported to the last two releases. For the current active | |
12 | releases and the estimated end-of-life for each, please refer to | |
13 | ||
14 | https://docs.ceph.com/en/latest/releases/ | |
15 | ||
16 | ## Reporting a Vulnerability | |
17 | ||
18 | To report a vulnerability, please send email to security@ceph.io | |
19 | ||
20 | * Please do not file a public ceph tracker issue for a vulnerability. | |
21 | * We urge reporters to provide as much information as is practical | |
22 | (a reproducer, versions affected, fix if available, etc.), as this | |
23 | can speed up the process considerably. | |
24 | * Please let us know to whom credit should be given and with what | |
25 | affiliations. | |
26 | * If this issue is not yet disclosed publicly and you have any | |
27 | disclosure date in mind, please share the same along with the | |
28 | report. | |
29 | ||
30 | Although you are not required to, you may encrypt your message using | |
31 | the following GPG key: | |
32 | ||
33 | **6EEF26FFD4093B99: Ceph Security Team (security@ceph.io)** | |
34 | ||
35 | **Download:** [MIT PGP Public Key Server](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x6EEF26FFD4093B99) | |
36 | **Fingerprint:** A527 D019 21F9 7178 C232 66C1 6EEF 26FF D409 3B99 | |
37 | ||
38 | ## Vulnerability Management Process | |
39 | ||
40 | * The report will be acknowledged within three business days or less. | |
41 | * The team will investigate and update the email thread with relevant | |
42 | information and may ask for additional information or guidance | |
43 | surrounding the reported issue. | |
44 | * If the team does not confirm the report, no further action will be | |
45 | taken and the issue will be closed. | |
46 | * If the team confirms the report, a unique CVE identifier will be | |
47 | assigned and shared with the reporter. The team will take action to | |
48 | fix the issue. | |
49 | * If a reporter has no disclosure date in mind, a Ceph security team | |
50 | member will coordinate a release date (CRD) with the list members | |
51 | and share the mutually agreed disclosure date with the reporter. | |
52 | * The vulnerability disclosure / release date is set excluding Friday and | |
53 | holiday periods. | |
54 | * Embargoes are preferred for Critical and High impact | |
55 | issues. Embargo should not be held for more than 90 days from the | |
56 | date of vulnerability confirmation, except under unusual | |
57 | circumstances. For Low and Moderate issues with limited impact and | |
58 | an easy workaround or where an issue that is already public, a | |
59 | standard patch release process will be followed to fix the | |
60 | vulnerability once CVE is assigned. | |
61 | * Medium and Low severity issues will be released as part of the next | |
62 | standard release cycle, with at least a 7 days advanced | |
63 | notification to the list members prior to the release date. The CVE | |
64 | fix details will be included in the release notes, which will be | |
65 | linked in the public announcement. | |
66 | * Commits will be handled in a private repository for review and | |
67 | testing and a new patch version will be released from this private | |
68 | repository. | |
69 | * If a vulnerability is unintentionally already fixed in the public | |
70 | repository, a few days are given to downstream stakeholders/vendors | |
71 | to prepare for updating before the public disclosure. | |
72 | * An announcement will be made disclosing the vulnerability. The | |
73 | fastest place to receive security announcements is via the | |
74 | ceph-announce@ceph.io or oss-security@lists.openwall.com mailing | |
75 | lists. (These lists are low-traffic). | |
76 | ||
77 | If the report is considered embargoed, we ask you to not disclose the | |
78 | vulnerability before it has been fixed and announced, unless you | |
79 | received a response from the Ceph security team that you can do | |
80 | so. This holds true until the public disclosure date that was agreed | |
81 | upon by the list. Thank you for improving the security of Ceph and its | |
82 | ecosystem. Your efforts and responsible disclosure are greatly | |
83 | appreciated and will be acknowledged. |