2b85e57b5d
The Airship security guide was last updated in 2018 and has not been maintained. It's coverage is limited to Airship 1 and is vague. This change removes it. Change-Id: Ibb8a74f6a13d0e66dba92e45ff4891eb25327ce9 Signed-off-by: Drew Walters <andrew.walters@att.com>
71 lines
3.4 KiB
ReStructuredText
71 lines
3.4 KiB
ReStructuredText
..
|
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
not use this file except in compliance with the License. You may obtain
|
|
a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
License for the specific language governing permissions and limitations
|
|
under the License.
|
|
|
|
.. _vulnerabilities:
|
|
|
|
Airship Security Vulnerability Management
|
|
=========================================
|
|
|
|
The Airship community is committed to expediently confirming, resolving, and
|
|
disclosing all reported security vulnerabilities. We appreciate your
|
|
cooperation and participation in our vulnerability management process outlined
|
|
below.
|
|
|
|
Report a Vulnerability
|
|
----------------------
|
|
|
|
If you discover a vulnerability in an Airship project, please treat the issue
|
|
with a sense of confidentiality and disclose it to the `airship-security
|
|
mailing list`_:
|
|
|
|
airship-security@lists.airshipit.org
|
|
|
|
Additionally, please include any potential fixes, as doing so can expedite the
|
|
disclosure and patching processes.
|
|
|
|
The Airship Working Committee is the sole subscriber of the `airship-security
|
|
mailing list`_ and monitors it for reported vulnerabilities. The committee
|
|
confirms or rejects reported vulnerabilities in correspondence with the
|
|
vulnerability reporter. In the event that the Airship Working Committee does
|
|
not have the expertise or availability to resolve a reported vulnerability, the
|
|
committee may solicit assistance from outside contributors to better facilitate
|
|
the understanding and resolution of reported security vulnerabilities.
|
|
|
|
Receive Early Disclosures
|
|
-------------------------
|
|
|
|
We prefer to disclose confirmed security vulnerabilities as soon as possible.
|
|
While circumstances may not always allow immediate disclosure, vulnerabilities
|
|
may be disclosed over the `airship-embargo-notice mailing list`_ when a fix
|
|
becomes available. The airship-embargo-notice mailing list notifies Airship
|
|
users of confirmed vulnerabilities. If you operate Airship in a production
|
|
environment, we recommend subscribing to the `airship-embargo-notice mailing
|
|
list`_ by contacting the Airship Working Committee. The Airship Working
|
|
Committee evaluates subscription requests on a case-by-case basis.
|
|
|
|
Receive Public Disclosures
|
|
--------------------------
|
|
|
|
Within ninety days of the initial vulnerability report, except in unusual
|
|
circumstances, the Airship Working Committee will publicly disclose the
|
|
reported vulnerability and its mitigation over the `airship-announce`_ and
|
|
`airship-discuss`_ mailing lists. If a fix merges before the aforementioned
|
|
ninety day period expires, the Airship Working Committee will instead disclose
|
|
the vulnerability and fix twenty-one days later. We recommend subscribing to
|
|
both mailing lists in order to receive security updates.
|
|
|
|
.. _airship-security mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-security
|
|
.. _airship-embargo-notice mailing list: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-embargo-notice
|
|
.. _airship-announce: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-announce
|
|
.. _airship-discuss: http://lists.airshipit.org/cgi-bin/mailman/listinfo/airship-discuss
|