summaryrefslogtreecommitdiff
path: root/doc/source/vulnerabilities.rst
blob: bef38e354d9a7a1fee476433d18fee742e4abe06 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
:title: Vulnerability Reporting

.. _vulnerability-reporting:

Vulnerability Reporting
=======================

Zuul strives to be as secure as possible, implementing a layered
defense-in-depth approach where any untrusted code is executed and
leveraging well-reviewed popular libraries for its cryptographic
needs. Still, bugs are inevitable and security bugs are no exception
to that rule.

If you've found a bug in Zuul and you suspect it may compromise the
security of some part of the system, we'd appreciate the opportunity
to privately discuss the details before any suspected vulnerability
is made public. There are a couple possible ways you can bring
security bugs to our attention:

Create a Private Story in StoryBoard
------------------------------------

You can create a private story at the following URL:

`<https://storyboard.openstack.org/#!/story/new?force_private=true>`_

Using this particular reporting URL helps prevent you from
forgetting to set the ``Private`` checkbox in the new story UI
before saving. If you're doing this from a normal story creation
workflow instead, please make sure to set this checkbox first.

Enter a short but memorable title for your vulnerability report and
provide risks, concerns or other relevant details in the description
field. Where it lists teams and users that can see this story, add
the ``zuul-security`` team so they'll be able to work on triaging
it. For the initial task, select the project to which this is
specific (e.g., ``zuul/zuul`` or
``zuul/nodepool``) and if it relates to additional
projects you can add another task for each of them making sure to
include a relevant title for each task. When you've included all the
detail and tasks you want, save the new story and then you can
continue commenting on it normally. Please don't remove the
``Private`` setting, and instead wait for one of the zuul-security
reviewers to do this once it's deemed safe.

Report via Encrypted E-mail
---------------------------

If the issue is extremely sensitive or you’re otherwise unable to
use the task tracker directly, please send an E-mail message to one
or more members of the Zuul security team. You’re encouraged to
encrypt messages to their OpenPGP keys, which can be found linked
below and also on the keyserver network with the following
fingerprints:

.. TODO: add some more contacts/keys here

* Jeremy Stanley <fungi@yuggoth.org>:
  `key 0x97ae496fc02dec9fc353b2e748f9961143495829
  <_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt>`_

* Tobias Henkel <tobias.henkel@bmw.de>:
  `key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2
  <_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt>`_