mirror of
https://github.com/minio/minio.git
synced 2025-04-10 22:47:52 -04:00
add vulnerability report policy (#11084)
This commit is contained in:
parent
f164085227
commit
7b5223d83d
39
VULNERABILITY_REPORT.md
Normal file
39
VULNERABILITY_REPORT.md
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
## Vulnerability Management Policy
|
||||||
|
|
||||||
|
This document formally describes the process of addressing and managing a
|
||||||
|
reported vulnerability that has been found in the MinIO server code base,
|
||||||
|
any directly connected ecosystem component or a direct / indirect dependency
|
||||||
|
of the code base.
|
||||||
|
|
||||||
|
### Scope
|
||||||
|
|
||||||
|
The vulnerability management policy described in this document covers the
|
||||||
|
process of investigating, assessing and resolving a vulnerability report
|
||||||
|
opened by a MinIO employee or an external third party.
|
||||||
|
|
||||||
|
Therefore, it lists pre-conditions and actions that should be performed to
|
||||||
|
resolve and fix a reported vulnerability.
|
||||||
|
|
||||||
|
### Vulnerability Management Process
|
||||||
|
|
||||||
|
The vulnerability management process requires that the vulnerability report
|
||||||
|
contains the following information:
|
||||||
|
|
||||||
|
- The project / component that contains the reported vulnerability.
|
||||||
|
- A description of the vulnerability. In particular, the type of the
|
||||||
|
reported vulnerability and how it might be exploited. Alternatively,
|
||||||
|
a well-established vulnerability identifier, e.g. CVE number, can be
|
||||||
|
used instead.
|
||||||
|
|
||||||
|
Based on the description mentioned above, a MinIO engineer or security team
|
||||||
|
member investigates:
|
||||||
|
|
||||||
|
- Whether the reported vulnerability exists.
|
||||||
|
- The conditions that are required such that the vulnerability can be exploited.
|
||||||
|
- The steps required to fix the vulnerability.
|
||||||
|
|
||||||
|
In general, if the vulnerability exists in one of the MinIO code bases
|
||||||
|
itself - not in a code dependency - then MinIO will, if possible, fix
|
||||||
|
the vulnerability or implement reasonable countermeasures such that the
|
||||||
|
vulnerability cannot be exploited anymore.
|
||||||
|
|
Loading…
x
Reference in New Issue
Block a user