From 2499beacc7815509a69cab2888e169027bd39697 Mon Sep 17 00:00:00 2001 From: Alejandro Saucedo Date: Mon, 21 Feb 2022 12:56:21 +0000 Subject: [PATCH] Update security policy to outline current security scans (#3959) --- SECURITY.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 950b8aea26..5f543e14b4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,19 +4,20 @@ This document provides an overview of the security policy of Seldon Core. Seldon Core aims to follow the two following policies: -* Keep dependencies up to date -* Identify and address common vulnerabilities and exposures +* Address CVEs in project dependencies by upgrading versions where possible +* Address CVEs in docker images by performing recommended upgrades -## Supported Versions +# Security Scans + +As part of every release we perform a security scan. The scans include dependencies and docker image scans. -The versions that support this Security policies are the following +You can find the [exact commands that are used](https://github.com/SeldonIO/seldon-core/blob/master/.github/workflows/security_tests.yml) for the scans, together with the [reports generated](https://github.com/SeldonIO/seldon-core/actions/workflows/security_tests.yml) from each of these runs. + +## Supported Versions -| Version | Supported | -| ------- | ------------------ | -| >= 1.2.2 | :white_check_mark: | -| < 1.2.2 | :x: | +We use semver for our version management. We release security patches as a `patch version` for the latest maor.minor release. ## Reporting a Vulnerability -If you identify a vulnerability the best way to report it is by opening an issue with the type "bug". The discussion can then take place there on next steps (ie updating library, reaching out to 3rd party projects, etc). +If you identify a vulnerability, if a public CVE the best way to report it is by opening an issue with the type "bug", the discussion can then take place on the ticket around next steps (ie updating library, reaching out to 3rd party projects, etc).