From 7b5223d83dd179eee63b6c08eec6d9b9910f6fa2 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Sun, 13 Dec 2020 02:38:37 +0100 Subject: [PATCH] add vulnerability report policy (#11084) --- VULNERABILITY_REPORT.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 VULNERABILITY_REPORT.md diff --git a/VULNERABILITY_REPORT.md b/VULNERABILITY_REPORT.md new file mode 100644 index 000000000..f359a4779 --- /dev/null +++ b/VULNERABILITY_REPORT.md @@ -0,0 +1,39 @@ +## Vulnerability Management Policy + +This document formally describes the process of addressing and managing a +reported vulnerability that has been found in the MinIO server code base, +any directly connected ecosystem component or a direct / indirect dependency +of the code base. + +### Scope + +The vulnerability management policy described in this document covers the +process of investigating, assessing and resolving a vulnerability report +opened by a MinIO employee or an external third party. + +Therefore, it lists pre-conditions and actions that should be performed to +resolve and fix a reported vulnerability. + +### Vulnerability Management Process + +The vulnerability management process requires that the vulnerability report +contains the following information: + + - The project / component that contains the reported vulnerability. + - A description of the vulnerability. In particular, the type of the + reported vulnerability and how it might be exploited. Alternatively, + a well-established vulnerability identifier, e.g. CVE number, can be + used instead. + +Based on the description mentioned above, a MinIO engineer or security team +member investigates: + + - Whether the reported vulnerability exists. + - The conditions that are required such that the vulnerability can be exploited. + - The steps required to fix the vulnerability. + +In general, if the vulnerability exists in one of the MinIO code bases +itself - not in a code dependency - then MinIO will, if possible, fix +the vulnerability or implement reasonable countermeasures such that the +vulnerability cannot be exploited anymore. +