diff --git a/SECURITY.md b/SECURITY.md index 756f8c526..6418f1016 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,39 +1,67 @@ -# Security Policy +# Linkerd Security Policy -## Supported Versions +Security is critical to Linkerd and we take it very seriously. Not only must +Linkerd be secure, it must improve the security of the system around it. To this +end, every aspect of Linkerd's development is done with security in mind. -We provide security updates for the two most recent minor versions released on -the `stable` channel. +Linkerd makes use of a variety of tools to ensure software security, including: -For example, if `stable-2.7.1` is the most recent stable versions, we will -address security updates for `stable-2.6.0` and later. Once `stable-2.8.0` is -released, we will no longer provide updates for `stable-2.6.x` releases. +* Code review +* Dependency hygiene and supply chain security via + [dependabot](https://docs.github.com/en/code-security/dependabot) +* [Fuzz testing](https://linkerd.io/2021/05/07/fuzz-testing-for-linkerd/) +* [Third-party security audits](#security-audits) +* And other forms of manual, static, and dynamic checking. ## Reporting a Vulnerability -To report a security problem in Linkerd, please contact the Security Alert Team: -. +If you believe you've found a security problem in Linkerd, whether in the +control plane, proxy, or any other component, please file a [GitHub security +advisory on the linkerd2 +repo](https://github.com/linkerd/linkerd2/security/advisories). The maintainers +will diagnose the severity of the issue and determine how to address the issue. -The team will help diagnose the severity of the issue and determine how to -address the issue. Issues deemed to be non-critical will be filed as GitHub -issues. Critical issues will receive immediate attention and be fixed as quickly -as possible. +## Criticality Policy -## Security Advisories +In general, critical issues that affect Linkerd's security posture or that +reduce its ability to provide security for users will receive immediate +attention and be fixed as quickly as possible. -When serious security problems in Linkerd are discovered and corrected, we issue -a security advisory, describing the problem and containing a pointer to the fix. -These are announced to our cncf-linkerd-announce mailing list as well as to -various other mailing lists and websites. +Issues that do not affect Linkerd's security posture and that don't reduce its +ability to provide security for users may not be immediately addressed. For +example, CVEs in underlying dependencies that don't actually affect Linkerd may +not be immediately addressed. -Security issues are fixed as soon as possible, and the fixes are propagated to -the stable branches as fast as possible. However, when a vulnerability is found -during a code audit, or when several other issues are likely to be spotted and -fixed in the near future, the security team may delay the release of a Security -Advisory, so that one unique, comprehensive Security Advisory covering several -vulnerabilities can be issued. Communication with vendors and other -distributions shipping the same code may also cause these delays. +## Version Policy + +A note on versions: For stable releases, Linkerd follows a modified semantic +versioning scheme of the form `2..`. In other words, "2" is a +static prefix, followed by the major version, then the minor. + +The Linkerd project will provide security updates for the most recent major +stable version only. In other words, if `2.X.Y` is the most recent major +version, we will provide security updates as part of a `2.X.(Y + 1)` release. + +Backports of security updates to earlier stable versions will only be done +at the discretion of the maintainer team. ## Security Audits -Unredacted security audits are published in the audits/ subdirectory. +The CNCF provides periodic third-party security audits. We publish unredacted +reports in the [audits/](audits/) subdirectory. + +## Security Advisories + +When vulnerabilities in Linkerd itself are discovered and corrected, we will +issue a security advisory, describing the problem and providing a pointer to the +fix. These will be announced to our +[cncf-linkerd-announce](https://lists.cncf.io/g/cncf-linkerd-announce) mailing +list. + +There are some situations where we may delay issuing a security advisory. For +example, when a vulnerability is found during a code audit or when several +issues are likely to be spotted and fixed in the near future, the maintainers +may delay the release of a Security Advisory so that we can issue a single +comprehensive Security Advisory covering multiple vulnerabilities. Communication +with vendors and other distributions shipping the same code may also cause these +delays.