You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

If you believe you have discovered a potential security issue with CloudStack, please follow the procedure on the CloudStack Security Page

Procedure for responding to potential security issues:

  • Upon receiving notice of a potential security issue, a CloudStack security team member will create a bug to track the investigation, this bug must be flagged as a security issue. Security flag should mean contents of ticket are not visible to non-security team members
  • Security team investigates the issue to confirm/deny the presence of a vulnerability within CloudStack
  • If issue is confirmed as a CloudStack vulnerability:
    • Security team assigns a risk rating to the vulnerability using the Common Vulnerability Scoring System
    • Security team works with reporter to get a chance to investigate and mitigate the issue in a timely manner before public announcement. This should be between 15-30 days, depending on the severity and complexity of the issue
    • Security team works with MITRE to reserve a CVE Identifier for future public release
    • Security team works with appropriate code maintainer(s) to create patch to mitigate the issue
    • Testing is conducted to verify patch mitigates issue and does not cause regression errors
    • Security team creates a vulnerability announcement
    • Patch is committed to trunk and other supported branches that are affected.
    • Security team posts vulnerability announcement to...
      • CloudStack security list
      • CloudStack Users list
      • CloudStack Security twitter feed
      • CloudStack Security alerts web page
      • The Bugtraq mailing list
  • No labels