Table of Contents |
---|
If you've found an issue that you believe is a security vulnerability in a released version of CloudStack, please report it to security@cloudstacksecurity@apache.apache.org with details about the vulnerability, how it might be exploited, and any additional information that might be useful.
...
The PMC has decided to create a "Security Team" for CloudStack. The Security Team's charter is to manage the response to vulnerabilities reported with Apache CloudStack. This includes communication with the report, issue verification, issue correction, public communication creation, and vendor coordination. The Security Team may ask assistance from other community members to help verify or correct a reported issue.
Members of the PMC are eligible to join the security team, but lurking is discouraged.
Community members engaged by the Security Team are expected to hold the issue in confidence until public announcement of the vulnerability. This protects the users of the software and gives reasonable time for the response process to be implemented. Further information can be found on the ASF's How it Works page.To read more about team membership and activities, please visit CloudStack Security Team
...
CloudStack operates a pre-disclosure list. This list contains the email addresses of the security response teams for significant CloudStack distributors. This includes both corporations and community institutions. The purpose of the pre-disclosure list is to enable the CloudStack project and distributors to participate in a bi-directional information sharing agreement for vulnerabilities. By joining the pre-disclosure list the organization and ACS mutually agree to jointly share vulnerability information that is originally reported to them, jointly verify and fix issues, and jointly (simultaneously) make vulnerability announcements and hotfix releases (if warranted) to the public. The ACS and organizations on the pre-disclosure list are also expected to be reasonably responsive, with a guided expectation of 2-4 weeks to verify issues and release fixes (if warranted). Response times should be discussed and agreed upon depending on the issue severity.
Pre-disclosure list members are expected to maintain the confidentiality of the vulnerability up to the embargo date that has been agreed to with the discoverer. Prior to the embargo date, pre-disclosure list members should not make available, even to their own customers and partners:
List members are allowed to make available to their users only the following:
The Security Team defines which organizations are admitted to the pre-disclosure list. Generally, well-established organizations with a mature security response process will be considered on a case-by-case basis. Organizations that meet the criteria should contact security@cloudstack.apache.org if they wish to participate in the pre-disclosure activities. The list of entities on the pre-disclosure list is public. No organization may privately receive pre-disclosure information.
This is a list of organizations on the pre-disclosure list
...
CloudStack Security Team will coordinate with members of the Security pre-disclosure list to receive early warning about security issues before they are disclosed to the general public.