You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Next »
If you believe you have discovered a potential security issue with CloudStack, please follow the procedure on the CloudStack Security Page
Procedure for responding to potential security issues:
- Upon receiving notice of a potential security issue, a CloudStack security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
- Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
- If issue is confirmed as a CloudStack vulnerability:
- Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
- Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
- Security team works with MITRE to reserve a CVE Identifier for future public release
- Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
- Testing is conducted to verify patch mitigates issue and does not cause regression errors
- Security team creates a vulnerability announcement
- Patch is committed to trunk and other supported branches that are affected.
- Security team posts vulnerability announcement to...
- CloudStack security list
- CloudStack Users list
- CloudStack Security twitter feed
- CloudStack Security alerts web page
- The Bugtraq mailing list