-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Taken from https://github.com/aws/.github/blob/master/SECURITY.md Signed-off-by: Pablo Barbáchano <[email protected]>
- Loading branch information
Showing
1 changed file
with
11 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,11 @@ | ||
# Security Issue Policy | ||
|
||
If you uncover a security issue with Firecracker, please write to us on | ||
<[email protected]>. Please encrypt sensitive | ||
information using the [PGP key](PGP-KEY.asc). | ||
|
||
Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made | ||
aware) of a security issue, they will immediately assess it. Based on impact and | ||
complexity, they will determine an embargo period (if externally reported, the | ||
period will be agreed upon with the external party). | ||
|
||
During the embargo period, maintainers will prioritize developing a fix over | ||
other activities. Within this period, maintainers may also notify a limited | ||
number of trusted parties via a pre-disclosure list, providing them with | ||
technical information, a risk assessment, and early access to a fix. | ||
|
||
The external customers are included in this group based on the scale of their | ||
Firecracker usage in production. The pre-disclosure list may also contain | ||
significant external security contributors that can join the effort to fix the | ||
issue during the embargo period. | ||
|
||
At the end of the embargo period, maintainers will publicly release information | ||
about the security issue together with the Firecracker patches that mitigate it. | ||
## Reporting Security Issues | ||
|
||
We take all security reports seriously. | ||
When we receive such reports, | ||
we will investigate and subsequently address | ||
any potential vulnerabilities as quickly as possible. | ||
If you discover a potential security issue in this project, | ||
please notify AWS/Amazon Security via our | ||
[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) | ||
or directly via email to [AWS Security](mailto:[email protected]). | ||
Please do *not* create a public GitHub issue in this project. |