linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce a security policy (#4281) 

When users or researchers discover security issues in Linkerd, they may
prefer to communicate privately, rather than through our public issues.

I've put together a first version of this security policy into
SECURITY.md, which GitHub integrates with:

See https://help.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository

Fixes #3009
This commit is contained in:
Oliver Gould 2020-04-21 16:01:31 -07:00 committed by GitHub
parent b00a84126d
commit 1800d3e972
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
SECURITY.md Normal file
View File

@ -0,0 +1,32 @@
# Security Policy
## Supported Versions
We provide security updates for the two most recent minor versions released on the `stable`
channel.
For example, if `stable-2.7.1` is the most recent stable versions, we will address security
updates for `stable-2.6.0` and later. Once `stable-2.8.0` is released, we will no longer provide
updates for `stable-2.6.x` releases.
## Reporting a Vulnerability
To report a security problem in Linkerd, please contact the Security Alert Team:
<cncf-linkerd-security-alert@lists.cncf.io>.
The team will help diagnose the severity of the issue and determine how to address the issue.
Issues deemed to be non-critical will be filed as GitHub issues. Critical issues will receive
immedaite attention and be fixed as quickly as possible.
## Security Advisories
When serious security problems in Linkerd are discovered and corrected, we issue a security
advisory, describing the problem and containing a pointer to the fix. These are announced to our
cncf-linkerd-announce mailing list as well as to various other mailing lists and websites.
Security issues are fixed as soon as possible, and the fixes are propagated to the stable
branches as fast as possible. However, when a vulnerability is found during a code audit, or when
several other issues are likely to be spotted and fixed in the near future, the security team may
delay the release of a Security Advisory, so that one unique, comprehensive Security Advisory
covering several vulnerabilities can be issued. Communication with vendors and other
distributions shipping the same code may also cause these delays.