minio/VULNERABILITY_REPORT.md

1.5 KiB

Vulnerability Management Policy

This document formally describes the process of addressing and managing a reported vulnerability that has been found in the MinIO server code base, any directly connected ecosystem component or a direct / indirect dependency of the code base.

Scope

The vulnerability management policy described in this document covers the process of investigating, assessing and resolving a vulnerability report opened by a MinIO employee or an external third party.

Therefore, it lists pre-conditions and actions that should be performed to resolve and fix a reported vulnerability.

Vulnerability Management Process

The vulnerability management process requires that the vulnerability report contains the following information:

  • The project / component that contains the reported vulnerability.
  • A description of the vulnerability. In particular, the type of the reported vulnerability and how it might be exploited. Alternatively, a well-established vulnerability identifier, e.g. CVE number, can be used instead.

Based on the description mentioned above, a MinIO engineer or security team member investigates:

  • Whether the reported vulnerability exists.
  • The conditions that are required such that the vulnerability can be exploited.
  • The steps required to fix the vulnerability.

In general, if the vulnerability exists in one of the MinIO code bases itself - not in a code dependency - then MinIO will, if possible, fix the vulnerability or implement reasonable countermeasures such that the vulnerability cannot be exploited anymore.