Skip to content

Commit

Permalink
doc: use AWS security policy
Browse files Browse the repository at this point in the history
  • Loading branch information
pb8o committed Sep 25, 2023
1 parent 840cbd9 commit ecb7587
Showing 1 changed file with 11 additions and 23 deletions.
34 changes: 11 additions & 23 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,11 @@
# Security Issue Policy

If you uncover a security issue with Firecracker, please write to us on
<[email protected]>. Please encrypt sensitive
information using the [PGP key](PGP-KEY.asc).

Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made
aware) of a security issue, they will immediately assess it. Based on impact and
complexity, they will determine an embargo period (if externally reported, the
period will be agreed upon with the external party).

During the embargo period, maintainers will prioritize developing a fix over
other activities. Within this period, maintainers may also notify a limited
number of trusted parties via a pre-disclosure list, providing them with
technical information, a risk assessment, and early access to a fix.

The external customers are included in this group based on the scale of their
Firecracker usage in production. The pre-disclosure list may also contain
significant external security contributors that can join the effort to fix the
issue during the embargo period.

At the end of the embargo period, maintainers will publicly release information
about the security issue together with the Firecracker patches that mitigate it.
## Reporting Security Issues

We take all security reports seriously.
When we receive such reports,
we will investigate and subsequently address
any potential vulnerabilities as quickly as possible.
If you discover a potential security issue in this project,
please notify AWS/Amazon Security via our
[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/)
or directly via email to [AWS Security](mailto:[email protected]).
Please do *not* create a public GitHub issue in this project.

0 comments on commit ecb7587

Please sign in to comment.