mirror of https://github.com/linkerd/linkerd2.git
Update SECURITY.md (#11670)
Signed-off-by: William Morgan <william@buoyant.io>
This commit is contained in:
William Morgan
GitHub
parent
9216804b30
commit
8ccfa32c98
80
SECURITY.md
80
SECURITY.md
|
|
@ -1,39 +1,67 @@
|
|||
# Security Policy
|
||||
# Linkerd Security Policy
|
||||
|
||||
## Supported Versions
|
||||
Security is critical to Linkerd and we take it very seriously. Not only must
|
||||
Linkerd be secure, it must improve the security of the system around it. To this
|
||||
end, every aspect of Linkerd's development is done with security in mind.
|
||||
|
||||
We provide security updates for the two most recent minor versions released on
|
||||
the `stable` channel.
|
||||
Linkerd makes use of a variety of tools to ensure software security, including:
|
||||
|
||||
For example, if `stable-2.7.1` is the most recent stable versions, we will
|
||||
address security updates for `stable-2.6.0` and later. Once `stable-2.8.0` is
|
||||
released, we will no longer provide updates for `stable-2.6.x` releases.
|
||||
* Code review
|
||||
* Dependency hygiene and supply chain security via
|
||||
[dependabot](https://docs.github.com/en/code-security/dependabot)
|
||||
* [Fuzz testing](https://linkerd.io/2021/05/07/fuzz-testing-for-linkerd/)
|
||||
* [Third-party security audits](#security-audits)
|
||||
* And other forms of manual, static, and dynamic checking.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
To report a security problem in Linkerd, please contact the Security Alert Team:
|
||||
<cncf-linkerd-security-alert@lists.cncf.io>.
|
||||
If you believe you've found a security problem in Linkerd, whether in the
|
||||
control plane, proxy, or any other component, please file a [GitHub security
|
||||
advisory on the linkerd2
|
||||
repo](https://github.com/linkerd/linkerd2/security/advisories). The maintainers
|
||||
will diagnose the severity of the issue and determine how to address the issue.
|
||||
|
||||
The team will help diagnose the severity of the issue and determine how to
|
||||
address the issue. Issues deemed to be non-critical will be filed as GitHub
|
||||
issues. Critical issues will receive immediate attention and be fixed as quickly
|
||||
as possible.
|
||||
## Criticality Policy
|
||||
|
||||
## Security Advisories
|
||||
In general, critical issues that affect Linkerd's security posture or that
|
||||
reduce its ability to provide security for users will receive immediate
|
||||
attention and be fixed as quickly as possible.
|
||||
|
||||
When serious security problems in Linkerd are discovered and corrected, we issue
|
||||
a security advisory, describing the problem and containing a pointer to the fix.
|
||||
These are announced to our cncf-linkerd-announce mailing list as well as to
|
||||
various other mailing lists and websites.
|
||||
Issues that do not affect Linkerd's security posture and that don't reduce its
|
||||
ability to provide security for users may not be immediately addressed. For
|
||||
example, CVEs in underlying dependencies that don't actually affect Linkerd may
|
||||
not be immediately addressed.
|
||||
|
||||
Security issues are fixed as soon as possible, and the fixes are propagated to
|
||||
the stable branches as fast as possible. However, when a vulnerability is found
|
||||
during a code audit, or when several other issues are likely to be spotted and
|
||||
fixed in the near future, the security team may delay the release of a Security
|
||||
Advisory, so that one unique, comprehensive Security Advisory covering several
|
||||
vulnerabilities can be issued. Communication with vendors and other
|
||||
distributions shipping the same code may also cause these delays.
|
||||
## Version Policy
|
||||
|
||||
A note on versions: For stable releases, Linkerd follows a modified semantic
|
||||
versioning scheme of the form `2.<major>.<minor>`. In other words, "2" is a
|
||||
static prefix, followed by the major version, then the minor.
|
||||
|
||||
The Linkerd project will provide security updates for the most recent major
|
||||
stable version only. In other words, if `2.X.Y` is the most recent major
|
||||
version, we will provide security updates as part of a `2.X.(Y + 1)` release.
|
||||
|
||||
Backports of security updates to earlier stable versions will only be done
|
||||
at the discretion of the maintainer team.
|
||||
|
||||
## Security Audits
|
||||
|
||||
Unredacted security audits are published in the audits/ subdirectory.
|
||||
The CNCF provides periodic third-party security audits. We publish unredacted
|
||||
reports in the [audits/](audits/) subdirectory.
|
||||
|
||||
## Security Advisories
|
||||
|
||||
When vulnerabilities in Linkerd itself are discovered and corrected, we will
|
||||
issue a security advisory, describing the problem and providing a pointer to the
|
||||
fix. These will be announced to our
|
||||
[cncf-linkerd-announce](https://lists.cncf.io/g/cncf-linkerd-announce) mailing
|
||||
list.
|
||||
|
||||
There are some situations where we may delay issuing a security advisory. For
|
||||
example, when a vulnerability is found during a code audit or when several
|
||||
issues are likely to be spotted and fixed in the near future, the maintainers
|
||||
may delay the release of a Security Advisory so that we can issue a single
|
||||
comprehensive Security Advisory covering multiple vulnerabilities. Communication
|
||||
with vendors and other distributions shipping the same code may also cause these
|
||||
delays.
|
||||
|
|
|
|||
Loading…
Reference in New Issue