For requesting any information regarding the security of this project please join:
GitHub is the preferred method for privately reporting a security vulnerability.
- Fill out the form on the GitHub Security Reporting
- You will receive a confirmation email upon submission
- You may be contacted by the maintainers to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.
We prefer to fully disclose the bug as soon as possible once a user mitigation is available.
The Fix Lead drives the schedule using their best judgment based on severity, development time, and release manager feedback.
If the Fix Lead is dealing with a Public Disclosure all timelines become ASAP.
OpenEBS releases follow the semver specification.
Security fixes are typically merged to the HEAD branch and due for release on the next minor version.
Upon request or if deemed necessary as part of a critical security fix we may backport the changes as a patch release.
The security team is made up of a subset of the project maintainers who are willing and able to respond to vulnerability reports.