[ceph.git] / ceph / SECURITY.md

# Security Policy

The information below, as well as information about past
vulnerabilities, can be found at

  https://docs.ceph.com/en/latest/security/

## Supported Versions

A new major Ceph release is made every year, and security and bug fixes
are backported to the last two releases.  For the current active
releases and the estimated end-of-life for each, please refer to

  https://docs.ceph.com/en/latest/releases/

## Reporting a Vulnerability

To report a vulnerability, please send email to security@ceph.io

* Please do not file a public ceph tracker issue for a vulnerability.
* We urge reporters to provide as much information as is practical 
  (a reproducer, versions affected, fix if available, etc.), as this
  can speed up the process considerably.
* Please let us know to whom credit should be given and with what
  affiliations.
* If this issue is not yet disclosed publicly and you have any
  disclosure date in mind, please share the same along with the
  report.

Although you are not required to, you may encrypt your message using
the following GPG key:

**6EEF26FFD4093B99: Ceph Security Team (security@ceph.io)**

**Download:** [MIT PGP Public Key Server](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x6EEF26FFD4093B99)   
**Fingerprint:** A527 D019 21F9 7178 C232 66C1 6EEF 26FF D409 3B99

## Vulnerability Management Process

* The report will be acknowledged within three business days or less.
* The team will investigate and update the email thread with relevant
  information and may ask for additional information or guidance
  surrounding the reported issue.
* If the team does not confirm the report, no further action will be
  taken and the issue will be closed.
* If the team confirms the report, a unique CVE identifier will be
  assigned and shared with the reporter. The team will take action to
  fix the issue.
* If a reporter has no disclosure date in mind, a Ceph security team
  member will coordinate a release date (CRD) with the list members
  and share the mutually agreed disclosure date with the reporter.
* The vulnerability disclosure / release date is set excluding Friday and
  holiday periods.
* Embargoes are preferred for Critical and High impact
  issues. Embargo should not be held for more than 90 days from the
  date of vulnerability confirmation, except under unusual
  circumstances. For Low and Moderate issues with limited impact and
  an easy workaround or where an issue that is already public, a
  standard patch release process will be followed to fix the
  vulnerability once CVE is assigned.
* Medium and Low severity issues will be released as part of the next
  standard release cycle, with at least a 7 days advanced
  notification to the list members prior to the release date. The CVE
  fix details will be included in the release notes, which will be
  linked in the public announcement.
* Commits will be handled in a private repository for review and
  testing and a new patch version will be released from this private
  repository.
* If a vulnerability is unintentionally already fixed in the public
  repository, a few days are given to downstream stakeholders/vendors
  to prepare for updating before the public disclosure.
* An announcement will be made disclosing the vulnerability. The
  fastest place to receive security announcements is via the
  ceph-announce@ceph.io or oss-security@lists.openwall.com mailing
  lists.  (These lists are low-traffic).

If the report is considered embargoed, we ask you to not disclose the
vulnerability before it has been fixed and announced, unless you
received a response from the Ceph security team that you can do
so. This holds true until the public disclosure date that was agreed
upon by the list. Thank you for improving the security of Ceph and its
ecosystem. Your efforts and responsible disclosure are greatly
appreciated and will be acknowledged.
Commit	Line	Data
20effc67 TL	1	# Security Policy
	2
	3	The information below, as well as information about past
	4	vulnerabilities, can be found at
	5
	6	https://docs.ceph.com/en/latest/security/
	7
	8	## Supported Versions
	9
	10	A new major Ceph release is made every year, and security and bug fixes
	11	are backported to the last two releases. For the current active
	12	releases and the estimated end-of-life for each, please refer to
	13
	14	https://docs.ceph.com/en/latest/releases/
	15
	16	## Reporting a Vulnerability
	17
	18	To report a vulnerability, please send email to security@ceph.io
	19
	20	* Please do not file a public ceph tracker issue for a vulnerability.
	21	* We urge reporters to provide as much information as is practical
	22	(a reproducer, versions affected, fix if available, etc.), as this
	23	can speed up the process considerably.
	24	* Please let us know to whom credit should be given and with what
	25	affiliations.
	26	* If this issue is not yet disclosed publicly and you have any
	27	disclosure date in mind, please share the same along with the
	28	report.
	29
	30	Although you are not required to, you may encrypt your message using
	31	the following GPG key:
	32
	33	6EEF26FFD4093B99: Ceph Security Team (security@ceph.io)
	34
	35	Download: [MIT PGP Public Key Server](https://pgp.mit.edu/pks/lookup?op=vindex&search=0x6EEF26FFD4093B99)
	36	Fingerprint: A527 D019 21F9 7178 C232 66C1 6EEF 26FF D409 3B99
	37
	38	## Vulnerability Management Process
	39
	40	* The report will be acknowledged within three business days or less.
	41	* The team will investigate and update the email thread with relevant
	42	information and may ask for additional information or guidance
	43	surrounding the reported issue.
	44	* If the team does not confirm the report, no further action will be
	45	taken and the issue will be closed.
	46	* If the team confirms the report, a unique CVE identifier will be
	47	assigned and shared with the reporter. The team will take action to
	48	fix the issue.
	49	* If a reporter has no disclosure date in mind, a Ceph security team
	50	member will coordinate a release date (CRD) with the list members
	51	and share the mutually agreed disclosure date with the reporter.
	52	* The vulnerability disclosure / release date is set excluding Friday and
	53	holiday periods.
	54	* Embargoes are preferred for Critical and High impact
	55	issues. Embargo should not be held for more than 90 days from the
	56	date of vulnerability confirmation, except under unusual
	57	circumstances. For Low and Moderate issues with limited impact and
	58	an easy workaround or where an issue that is already public, a
	59	standard patch release process will be followed to fix the
	60	vulnerability once CVE is assigned.
	61	* Medium and Low severity issues will be released as part of the next
	62	standard release cycle, with at least a 7 days advanced
	63	notification to the list members prior to the release date. The CVE
	64	fix details will be included in the release notes, which will be
65	linked in the public announcement.
66	* Commits will be handled in a private repository for review and
67	testing and a new patch version will be released from this private
68	repository.
69	* If a vulnerability is unintentionally already fixed in the public
70	repository, a few days are given to downstream stakeholders/vendors
71	to prepare for updating before the public disclosure.
72	* An announcement will be made disclosing the vulnerability. The
73	fastest place to receive security announcements is via the
74	ceph-announce@ceph.io or oss-security@lists.openwall.com mailing
75	lists. (These lists are low-traffic).
76
77	If the report is considered embargoed, we ask you to not disclose the
78	vulnerability before it has been fixed and announced, unless you
79	received a response from the Ceph security team that you can do
80	so. This holds true until the public disclosure date that was agreed
81	upon by the list. Thank you for improving the security of Ceph and its
82	ecosystem. Your efforts and responsible disclosure are greatly
83	appreciated and will be acknowledged.