|
Packit |
bc9a3a |
# Security Policy
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
The following documents the upstream cloud-init security policy.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
## Reporting
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
If a user finds a security issue, they are requested to file a [private
|
|
Packit |
bc9a3a |
security bug on Launchpad](https://bugs.launchpad.net/cloud-init/+filebug).
|
|
Packit |
bc9a3a |
To ensure the information stays private, change the "This bug contains
|
|
Packit |
bc9a3a |
information that is:" from "Public" to "Private Security" when filing.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
After the bug is received, the issue is triaged within 2 working days of
|
|
Packit |
bc9a3a |
being reported and a response is sent to the reporter.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
## cloud-init-security
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
The cloud-init-security Launchpad team is a private, invite-only team used to
|
|
Packit |
bc9a3a |
discuss and coordinate security issues with the project.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
Any issues disclosed to the cloud-init-security mailing list are considered
|
|
Packit |
bc9a3a |
embargoed and should only be discussed with other members of the
|
|
Packit |
bc9a3a |
cloud-init-security mailing list before the coordinated release date, unless
|
|
Packit |
bc9a3a |
specific exception is granted by the administrators of the mailing list. This
|
|
Packit |
bc9a3a |
includes disclosure of any details related to the vulnerability or the
|
|
Packit |
bc9a3a |
presence of a vulnerability itself. Violation of this policy may result in
|
|
Packit |
bc9a3a |
removal from the list for the company or individual involved.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
## Evaluation
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
If the reported bug is deemed a real security issue a CVE is assigned by
|
|
Packit |
bc9a3a |
the Canonical Security Team as CVE Numbering Authority (CNA).
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
If it is deemed a regular, non-security, issue, the reporter will be asked to
|
|
Packit |
bc9a3a |
follow typical bug reporting procedures.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
In addition to the disclosure timeline, the core Canonical cloud-init team
|
|
Packit |
bc9a3a |
will enlist the expertise of the Ubuntu Security team for guidance on
|
|
Packit |
bc9a3a |
industry-standard disclosure practices as necessary.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
If an issue specifically involves another distro or cloud vendor, additional
|
|
Packit |
bc9a3a |
individuals will be informed of the issue to help in evaluation.
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
## Disclosure
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
Disclosure of security issues will be made with a public statement. Once the
|
|
Packit |
bc9a3a |
determined time for disclosure has arrived the following will occur:
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
* A public bug is filed/made public with vulnerability details, CVE,
|
|
Packit |
bc9a3a |
mitigations and where to obtain the fix
|
|
Packit |
bc9a3a |
* An email is sent to the [public cloud-init mailing list](https://lists.launchpad.net/cloud-init/)
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
The disclosure timeframe is coordinated with the reporter and members of the
|
|
Packit |
bc9a3a |
cloud-init-security list. This depends on a number of factors:
|
|
Packit |
bc9a3a |
|
|
Packit |
bc9a3a |
* The reporter might have their own disclosure timeline (e.g. Google Project
|
|
Packit |
bc9a3a |
Zero and many others use a 90-days after initial report OR when a fix
|
|
Packit |
bc9a3a |
becomes public)
|
|
Packit |
bc9a3a |
* It might take time to decide upon and develop an appropriate fix
|
|
Packit |
bc9a3a |
* A distros might want extra time to backport any possible fixes before
|
|
Packit |
bc9a3a |
the fix becomes public
|
|
Packit |
bc9a3a |
* A cloud may need additional time to prepare to help customers or impliment
|
|
Packit |
bc9a3a |
a fix
|
|
Packit |
bc9a3a |
* The issue might be deemed low priority
|
|
Packit |
bc9a3a |
* May wish to to align with an upcoming planned release
|