If you've found an issue that you believe is a security vulnerability in a released version of CloudStack, please report it to security@cloudstack.apache.org with details about the vulnerability, how it might be exploited, and any additional information that might be useful.
Upon notification, the ACS security team will initiate the security response procedure. If the issue is validated, the team generally takes 2-4 weeks from notification to public announcement of the vulnerability. During this time, the team will communicate with you as they proceed through the response procedure, and ask that the issue not be announced before an agreed-upon date.
The security team asks that you please do not create publicly-viewable JIRA tickets related to the issue. If validated, a JIRA ticket with the security flag set will be created for tracking the issue in a non-public manner.
The PMC has decided to create a "Security Team" for CloudStack. The Security Team's charter is to manage the response to vulnerabilities reported with Apache CloudStack. This includes communication with the report, issue verification, issue correction, public communication creation, and vendor coordination. The Security Team may ask assistance from other community members to help verify or correct a reported issue.
Members of the PMC are eligible to join the security team, but lurking is discouraged.
Community members engaged by the Security Team are expected to hold the issue in confidence until public announcement of the vulnerability. This protects the users of the software and gives reasonable time for the response process to be implemented. Further information can be found on the ASF's How it Works page.
The scope of these procedures applies to vulnerabilities found in CloudStack releases 4.0.0-incubating and later.
CloudStack has an history that pre-dates the Apache Software Foundation. This includes the 2.0.x, 2.1.x, 2.2.x, and 3.0.x series of CloudStack releases. Vulnerabilities that are present in only these releases will be addressed by Citrix.
Some vulnerabilities may exist in ASF code releases as well as derivative works or binary distributions. This is discussed in the Distributors section below.
CloudStack operates a pre-disclosure list. This list contains the email addresses of the security response teams for significant CloudStack distributors. This includes both corporations and community institutions. The purpose of the pre-disclosure list is to enable the CloudStack project and distributors to participate in a bi-directional information sharing agreement for vulnerabilities. By joining the pre-disclosure list the organization and ACS mutually agree to jointly share vulnerability information that is originally reported to them, jointly verify and fix issues, and jointly (simultaneously) make vulnerability announcements and hotfix releases (if warranted) to the public. The ACS and organizations on the pre-disclosure list are also expected to be reasonably responsive, with a guided expectation of 2-4 weeks to verify issues and release fixes (if warranted). Response times should be discussed and agreed upon depending on the issue severity.
Pre-disclosure list members are expected to maintain the confidentiality of the vulnerability up to the embargo date that has been agreed to with the discoverer. Prior to the embargo date, pre-disclosure list members should not make available, even to their own customers and partners:
List members are allowed to make available to their users only the following:
The Security Team defines which organizations are admitted to the pre-disclosure list. Generally, well-established organizations with a mature security response process will be considered on a case-by-case basis. Organizations that meet the criteria should contact security@cloudstack.apache.org if they wish to participate in the pre-disclosure activities. The list of entities on the pre-disclosure list is public. No organization may privately receive pre-disclosure information.
This is a list of organizations on the pre-disclosure list