If you've found an issue that you believe is a security vulnerability in a released version of CloudStack, please report it to security@cloudstack.apache.org with details about the vulnerability, how it might be exploited, and any additional information that might be useful.
Upon notification, the ACS security team will initiate the security response procedure. If the issue is validated, the team generally takes 2-4 weeks from notification to public announcement of the vulnerability. During this time, the team will communicate with you as they proceed through the response procedure, and ask that the issue not be announced before an agreed-upon date.
The security team asks that you please do not create publicly-viewable JIRA tickets related to the issue. If validated, a JIRA ticket with the security flag set will be created for tracking the issue in a non-public manner.
The PMC has decided to create a "Security Team" for CloudStack. To read more about team membership and activities, please visit CloudStack Security Team
The scope of these procedures applies to vulnerabilities found in CloudStack releases 4.0.0-incubating and later.
CloudStack has an history that pre-dates the Apache Software Foundation. This includes the 2.0.x, 2.1.x, 2.2.x, and 3.0.x series of CloudStack releases. Vulnerabilities that are present in only these releases will be addressed by Citrix.
Some vulnerabilities may exist in ASF code releases as well as derivative works or binary distributions. This is discussed in the Distributors section below.
CloudStack operates a pre-disclosure list. This list contains the email addresses of the security response teams for significant CloudStack distributors. This includes both corporations and community institutions. The purpose of the pre-disclosure list is to enable the CloudStack project and distributors to participate in a bi-directional information sharing agreement for vulnerabilities. By joining the pre-disclosure list the organization and ACS mutually agree to jointly share vulnerability information that is originally reported to them, jointly verify and fix issues, and jointly (simultaneously) make vulnerability announcements and hotfix releases (if warranted) to the public. The ACS and organizations on the pre-disclosure list are also expected to be reasonably responsive, with a guided expectation of 2-4 weeks to verify issues and release fixes (if warranted). Response times should be discussed and agreed upon depending on the issue severity.
Pre-disclosure list members are expected to maintain the confidentiality of the vulnerability up to the embargo date that has been agreed to with the discoverer. Prior to the embargo date, pre-disclosure list members should not make available, even to their own customers and partners:
List members are allowed to make available to their users only the following:
The Security Team defines which organizations are admitted to the pre-disclosure list. Generally, well-established organizations with a mature security response process will be considered on a case-by-case basis. Organizations that meet the criteria should contact security@cloudstack.apache.org if they wish to participate in the pre-disclosure activities. The list of entities on the pre-disclosure list is public. No organization may privately receive pre-disclosure information.
This is a list of organizations on the pre-disclosure list