ceph/doc/security/process.rst

   1 Vulnerability Management Process
   2 ================================
   3
   4 #. The report will be acknowledged within three business days.
   5 #. The team will investigate the reported issue and will update the email
   6    thread with relevant information. The team may ask for additional
   7    information regarding the reported issue.
   8 #. If the team does not confirm the report, no further action will be
   9    taken and the issue will be closed.
  10 #. If the report is confirmed by Ceph team members, a unique CVE identifier
  11    will be assigned to the report and then shared with the reporter. The Ceph
  12    security team will start working on a fix.
  13 #. If a reporter has no disclosure date in mind, a Ceph security team
  14    member will coordinate a release date (CRD) with the list members
  15    and share the mutually agreed disclosure date with the reporter.
  16 #. The vulnerability disclosure / release date is set excluding Friday and
  17    holiday periods.
  18 #. Embargoes are preferred for Critical and High impact
  19    issues. Embargo should not be held for more than 90 days from the
  20    date of vulnerability confirmation, except under unusual
  21    circumstances. For Low and Moderate issues with limited impact and
  22    an easy workaround or where an issue that is already public, a
  23    standard patch release process will be followed to fix the
  24    vulnerability once CVE is assigned.
  25 #. Fixes for issues of "Medium" and "Low" severity will be released as part of
  26    the next standard release cycle. List members will receive seven days of
  27    advance notice prior to the release date of these fixes. The details of the
  28    CVE fix will be included in the release notes, and the release notes will be
  29    linked in the public announcement.
  30 #. Commits will be handled in a private repository for review and
  31    testing and a new patch version will be released from this private
  32    repository.
  33 #. If a vulnerability is unintentionally already fixed in the public
  34    repository, a few days are given to downstream stakeholders/vendors
  35    to prepare for updating before the public disclosure.
  36 #. An announcement will be made disclosing the vulnerability. The
  37    fastest place to receive security announcements is via the
  38    `ceph-announce@ceph.io <ceph-announce@ceph.io>`_ or
  39    `oss-security@lists.openwall.com <oss-security@lists.openwall.com>`_ mailing
  40    lists.  (These lists are low-traffic).
  41
  42 If the report is considered embargoed, we ask you to not disclose the
  43 vulnerability before it has been fixed and announced, unless you
  44 received a response from the Ceph security team that you can do
  45 so. This holds true until the public disclosure date that was agreed
  46 upon by the list. Thank you for improving the security of Ceph and its
  47 ecosystem. Your efforts and responsible disclosure are greatly
  48 appreciated and will be acknowledged.