You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

38 lines
1.5 KiB

  1. # Vulnerability Management Policy
  2. This document formally describes the process of addressing and managing a
  3. reported vulnerability that has been found in the MinIO server code base,
  4. any directly connected ecosystem component or a direct / indirect dependency
  5. of the code base.
  6. ## Scope
  7. The vulnerability management policy described in this document covers the
  8. process of investigating, assessing and resolving a vulnerability report
  9. opened by a MinIO employee or an external third party.
  10. Therefore, it lists pre-conditions and actions that should be performed to
  11. resolve and fix a reported vulnerability.
  12. ## Vulnerability Management Process
  13. The vulnerability management process requires that the vulnerability report
  14. contains the following information:
  15. - The project / component that contains the reported vulnerability.
  16. - A description of the vulnerability. In particular, the type of the
  17. reported vulnerability and how it might be exploited. Alternatively,
  18. a well-established vulnerability identifier, e.g. CVE number, can be
  19. used instead.
  20. Based on the description mentioned above, a MinIO engineer or security team
  21. member investigates:
  22. - Whether the reported vulnerability exists.
  23. - The conditions that are required such that the vulnerability can be exploited.
  24. - The steps required to fix the vulnerability.
  25. In general, if the vulnerability exists in one of the MinIO code bases
  26. itself - not in a code dependency - then MinIO will, if possible, fix
  27. the vulnerability or implement reasonable countermeasures such that the
  28. vulnerability cannot be exploited anymore.