The PMC has decided to create a "Security Team" for CloudStack.  The Security Team's charter is to manage the response to vulnerabilities reported with Apache CloudStack.  This includes private communication with the reporter, issue verification, issue correction, public communication around vulnerabilities, and vendor coordination.  The Security Team may ask assistance from other community members to help verify or correct a reported issue.

Community members engaged by the Security Team are expected to hold the issue in confidence until public announcement of the vulnerability.  This protects the users of the software and gives reasonable time for the response process to be implemented.  Further information can be found on the ASF's How it Works page.

Contacting the Security Team

If you believe you have found a security issue within Apache CloudStack, please follow the Security response procedure to contact the team and improve the software.

Membership

Due to the sensitive nature of the content, the ACS Security Team is made up of mostly PMC members. Any communication on the mailing list is also sent to the general Apache security mailing list.

Members of the PMC are eligible to join the security team, but lurking is discouraged.

ACS committers with an information security background who wish to work with the security team on an ongoing basis should send an email to the PMC for membership consideration.

Vendors and partners seeking access

From time to time, we have security staff from organizations that actively use CloudStack ask to join the Security Team. While we truly appreciate their interest, energy, and contributions, as an ASF project we do not allow access to private mailing lists to folks without committer status.

Therefore, the process for non-committers with an interest or experience in information security would be that of any other contributor - participate in the community, submit patches, contact the security team with security issues (patches are always welcome, too!). As the PMC sees your contributions, you will be invited to become a committer, and can then petition the PMC to consider you for security team membership.

We realize this requires jumping through several hoops, but understand that our goal is to maintain a trustworthy group of people with an active, ongoing interest in Apache CloudStack (and the security of ACS), within the guidelines of an ASF project.

Pre-disclosure list

Well-established organizations with mature security processes for whom CloudStack is critical infrastructure may want to join the Security pre-disclosure list, which provides early notification of vulnerabilitites after discussion and remediation by the security team, before announcement to the general public.

 

  • No labels