github.com/greenplum-db/gpbackup@v0.0.0-20240517212602-89daab1885b3/SECURITY.md (about)

     1  # Security Release Process
     2  
     3  Greenplum Database has adopted this security disclosure and response policy to
     4  ensure we responsibly handle critical issues.
     5  
     6  ## Reporting a Vulnerability - Private Disclosure Process
     7  
     8  Security is of the highest importance and all security vulnerabilities or
     9  suspected security vulnerabilities should be reported to Greenplum Database
    10  privately, to minimize attacks against current users of Greenplum Database
    11  before they are fixed. Vulnerabilities will be investigated and patched on the
    12  next patch (or minor) release as soon as possible. This information could be
    13  kept entirely internal to the project.
    14  
    15  If you know of a publicly disclosed security vulnerability for Greenplum
    16  Database, please **IMMEDIATELY** contact the Greenplum Database project team
    17  (security@greenplum.org).
    18  
    19  **IMPORTANT: Do not file public issues on GitHub for security vulnerabilities!**
    20  
    21  To report a vulnerability or a security-related issue, please contact the email
    22  address with the details of the vulnerability. The email will be fielded by the
    23  Greenplum Database project team. Emails will be addressed promptly, including a
    24  detailed plan to investigate the issue and any potential workarounds to perform
    25  in the meantime. Do not report non-security-impacting bugs through this
    26  channel. Use [GitHub issues](https://github.com/greenplum-db/gpdb/issues)
    27  instead.
    28  
    29  ## Proposed Email Content
    30  
    31  Provide a descriptive subject line and in the body of the email include the
    32  following information:
    33  
    34  * Basic identity information, such as your name and your affiliation or company.
    35  * Detailed steps to reproduce the vulnerability  (POC scripts, screenshots, and
    36    logs are all helpful to us).
    37  * Description of the effects of the vulnerability on Greenplum Database and the
    38    related hardware and software configurations, so that the Greenplum Database
    39    project team can reproduce it.
    40  * How the vulnerability affects Greenplum Database usage and an estimation of
    41    the attack surface, if there is one.
    42  * List other projects or dependencies that were used in conjunction with
    43    Greenplum Database to produce the vulnerability.
    44  
    45  ## When to report a vulnerability
    46  
    47  * When you think Greenplum Database has a potential security vulnerability.
    48  * When you suspect a potential vulnerability but you are unsure that it impacts
    49    Greenplum Database.
    50  * When you know of or suspect a potential vulnerability on another project that
    51    is used by Greenplum Database.
    52  
    53  ## Patch, Release, and Disclosure
    54  
    55  The Greenplum Database project team will respond to vulnerability reports as
    56  follows:
    57  
    58  1. The Greenplum project team will investigate the vulnerability and determine
    59  its effects and criticality.
    60  2. If the issue is not deemed to be a vulnerability, the Greenplum project team
    61  will follow up with a detailed reason for rejection.
    62  3. The Greenplum project team will initiate a conversation with the reporter
    63  promptly.
    64  4. If a vulnerability is acknowledged and the timeline for a fix is determined,
    65  the Greenplum project team will work on a plan to communicate with the
    66  appropriate community, including identifying mitigating steps that affected
    67  users can take to protect themselves until the fix is rolled out.
    68  5. The Greenplum project team will also create a
    69  [CVSS](https://www.first.org/cvss/specification-document) using the [CVSS
    70  Calculator](https://www.first.org/cvss/calculator/3.0). The Greenplum project
    71  team makes the final call on the calculated CVSS; it is better to move quickly
    72  than making the CVSS perfect. Issues may also be reported to
    73  [Mitre](https://cve.mitre.org/) using this [scoring
    74  calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The CVE will
    75  initially be set to private.
    76  6. The Greenplum project team will work on fixing the vulnerability and perform
    77  internal testing before preparing to roll out the fix.
    78  7. A public disclosure date is negotiated by the Greenplum Database project
    79  team, and the bug submitter. We prefer to fully disclose the bug as soon as
    80  possible once a user mitigation or patch is available. It is reasonable to
    81  delay disclosure when the bug or the fix is not yet fully understood, or the
    82  solution is not well-tested. The timeframe for disclosure is from immediate
    83  (especially if it’s already publicly known) to a few weeks. The Greenplum
    84  Database project team holds the final say when setting a public disclosure
    85  date.
    86  8. Once the fix is confirmed, the Greenplum project team will patch the
    87  vulnerability in the next patch or minor release, and backport a patch release
    88  into earlier supported releases as necessary. Upon release of the patched
    89  version of Greenplum Database, we will follow the **Public Disclosure
    90  Process**.
    91  
    92  ## Public Disclosure Process
    93  
    94  The Greenplum project team publishes a [public
    95  advisory](https://github.com/greenplum-db/gpdb/security/advisories?state=published)
    96  to the Greenplum Database community via GitHub. In most cases, additional
    97  communication via Slack, Twitter, mailing lists, blog and other channels will
    98  assist in educating Greenplum Database users and rolling out the patched
    99  release to affected users.
   100  
   101  The Greenplum project team will also publish any mitigating steps users can
   102  take until the fix can be applied to their Greenplum Database instances.
   103  
   104  ## Mailing lists
   105  
   106  * Use security@greenplum.org to report security concerns to the Greenplum
   107    Database project team, who uses the list to privately discuss security issues
   108    and fixes prior to disclosure.
   109  
   110  ## Confidentiality, integrity and availability
   111  
   112  We consider vulnerabilities leading to the compromise of data confidentiality,
   113  elevation of privilege, or integrity to be our highest priority concerns.
   114  Availability, in particular in areas relating to DoS and resource exhaustion,
   115  is also a serious security concern. The Greenplum Database project team takes
   116  all vulnerabilities, potential vulnerabilities, and suspected vulnerabilities
   117  seriously and will investigate them in an urgent and expeditious manner.
   118  
   119  Note that we do not currently consider the default settings for Greenplum
   120  Database to be secure-by-default. It is necessary for operators to explicitly
   121  configure settings, role based access control, and other resource related
   122  features in Greenplum Database to provide a hardened Greenplum Database
   123  environment. We will not act on any security disclosure that relates to a lack
   124  of safe defaults. Over time, we will work towards improved safe-by-default
   125  configuration, taking into account backwards compatibility.