|
1 | 1 | # Security Policy |
2 | 2 |
|
3 | 3 | Please follow the [security policy](https://oras.land/docs/community/reporting_security_concerns) to report a security vulnerability or concern. |
| 4 | + |
| 5 | +## Security Mailing List |
| 6 | + |
| 7 | +The ORAS project maintains a security mailing list at https://lists.cncf.io/g/cncf-oras-security for security-related discussions. This mailing list is intended for: |
| 8 | + |
| 9 | +* Coordination among security team members when handling vulnerability reports |
| 10 | +* Discussion of security best practices and improvements to ORAS security posture |
| 11 | +* Private communication regarding security concerns that are not yet ready for public disclosure |
| 12 | +* Coordination of security patches and disclosure timelines |
| 13 | + |
| 14 | +To report a vulnerability via email, send to: [[email protected]](mailto:[email protected]) |
| 15 | + |
| 16 | +## Security Team |
| 17 | + |
| 18 | +The security team is made up of a subset of the ORAS project maintainers who are willing and able to respond to vulnerability reports. |
| 19 | + |
| 20 | +### Responsibilities |
| 21 | + |
| 22 | +* Members MUST be active project maintainers on active (non-deprecated) ORAS projects as defined in [the governance](governance/GOVERNANCE.md) |
| 23 | +* Members SHOULD engage in each reported vulnerability, at a minimum to make sure it is being handled |
| 24 | +* Members MUST keep the vulnerability details private and only share on a need to know basis |
| 25 | + |
| 26 | +### Membership |
| 27 | + |
| 28 | +New members are required to be active maintainers of ORAS projects who are willing to perform the responsibilities outlined above. The security team is a subset of the maintainers. Members can step down at any time and may join at any time. |
| 29 | + |
| 30 | +From time to time, ORAS projects are deprecated. If at any time a security team member is found to be no longer be an active maintainer on active ORAS projects, this individual will be removed from the security team. |
| 31 | + |
| 32 | +## Patch and Release Team |
| 33 | + |
| 34 | +When a vulnerability comes in and is acknowledged, a team - including maintainers of the ORAS project affected - will assembled to patch the vulnerability, release an update, and publish the vulnerability disclosure. This may expand beyond the security team as needed but will stay within the pool of ORAS project maintainers. |
| 35 | + |
| 36 | +## Disclosures |
| 37 | + |
| 38 | +Vulnerability disclosures are published on the security advisory in each repository. The disclosures will contain an overview, details about the vulnerability, a fix for the vulnerability that will typically be an update, and optionally a workaround if one is available. |
| 39 | + |
| 40 | +Disclosures will be published on the same day as a release fixing the vulnerability after the release is published. |
0 commit comments