2015-10-24 20:18:27 +02:00
Security
========
We take the security of `` lemur `` seriously. The following are a set of
policies we have adopted to ensure that security issues are addressed in a
timely fashion.
Reporting a security issue
--------------------------
We ask that you do not report security issues to our normal GitHub issue
tracker.
If you believe you've identified a security issue with `` lemur `` , please
report it to `` cloudsecurity@netflix.com `` .
Once you've submitted an issue via email, you should receive an acknowledgment
within 48 hours, and depending on the action to be taken, you may receive
further follow-up emails.
Supported Versions
------------------
At any given time, we will provide security support for the `master`_ branch
2021-03-11 04:58:41 +01:00
as well as the most recent release.
2015-10-24 20:18:27 +02:00
Disclosure Process
------------------
Our process for taking a security issue from private discussion to public
disclosure involves multiple steps.
2021-03-11 04:58:41 +01:00
Approximately one week before full public disclosure, we will provide advanced notification that a security issue exists. Depending on the severity of the issue, we may choose to either send a targeted email to known Lemur users and contributors or post an issue to the Lemur repository. In either case, the notification should contain the following.
2015-10-24 20:18:27 +02:00
2021-03-11 04:58:41 +01:00
* A description of the potential impact
* The affected versions of `` lemur `` .
2015-10-24 20:18:27 +02:00
* The steps we will be taking to remedy the issue.
* The date on which the `` lemur `` team will apply these patches, issue
new releases, and publicly disclose the issue.
2021-03-11 04:58:41 +01:00
If the issue was disclosed to us, the reporter will receive notification of the date
2015-10-29 03:55:08 +01:00
on which we plan to make the issue public.
2015-10-24 20:18:27 +02:00
On the day of disclosure, we will take the following steps:
* Apply the relevant patches to the `` lemur `` repository. The commit
messages for these patches will indicate that they are for security issues,
but will not describe the issue in any detail; instead, they will warn of
upcoming disclosure.
2021-03-11 04:58:41 +01:00
* Issue an updated release.
2015-10-24 20:18:27 +02:00
If a reported issue is believed to be particularly time-sensitive –
known exploit in the wild, for example –
and public disclosure may be shortened considerably.
The list of people and organizations who receives advanced notification of
2015-10-29 03:55:08 +01:00
security issues is not, and will not, be made public. This list generally
2016-12-14 18:29:04 +01:00
consists of high-profile downstream distributors and is entirely at the
2015-10-24 20:18:27 +02:00
discretion of the `` lemur `` team.
.. _`master`: https://github.com/Netflix/lemur
