github.com/greenplum-db/gpbackup@v0.0.0-20240517212602-89daab1885b3/SECURITY.md (about) 1 # Security Release Process 2 3 Greenplum Database has adopted this security disclosure and response policy to 4 ensure we responsibly handle critical issues. 5 6 ## Reporting a Vulnerability - Private Disclosure Process 7 8 Security is of the highest importance and all security vulnerabilities or 9 suspected security vulnerabilities should be reported to Greenplum Database 10 privately, to minimize attacks against current users of Greenplum Database 11 before they are fixed. Vulnerabilities will be investigated and patched on the 12 next patch (or minor) release as soon as possible. This information could be 13 kept entirely internal to the project. 14 15 If you know of a publicly disclosed security vulnerability for Greenplum 16 Database, please **IMMEDIATELY** contact the Greenplum Database project team 17 (security@greenplum.org). 18 19 **IMPORTANT: Do not file public issues on GitHub for security vulnerabilities!** 20 21 To report a vulnerability or a security-related issue, please contact the email 22 address with the details of the vulnerability. The email will be fielded by the 23 Greenplum Database project team. Emails will be addressed promptly, including a 24 detailed plan to investigate the issue and any potential workarounds to perform 25 in the meantime. Do not report non-security-impacting bugs through this 26 channel. Use [GitHub issues](https://github.com/greenplum-db/gpdb/issues) 27 instead. 28 29 ## Proposed Email Content 30 31 Provide a descriptive subject line and in the body of the email include the 32 following information: 33 34 * Basic identity information, such as your name and your affiliation or company. 35 * Detailed steps to reproduce the vulnerability (POC scripts, screenshots, and 36 logs are all helpful to us). 37 * Description of the effects of the vulnerability on Greenplum Database and the 38 related hardware and software configurations, so that the Greenplum Database 39 project team can reproduce it. 40 * How the vulnerability affects Greenplum Database usage and an estimation of 41 the attack surface, if there is one. 42 * List other projects or dependencies that were used in conjunction with 43 Greenplum Database to produce the vulnerability. 44 45 ## When to report a vulnerability 46 47 * When you think Greenplum Database has a potential security vulnerability. 48 * When you suspect a potential vulnerability but you are unsure that it impacts 49 Greenplum Database. 50 * When you know of or suspect a potential vulnerability on another project that 51 is used by Greenplum Database. 52 53 ## Patch, Release, and Disclosure 54 55 The Greenplum Database project team will respond to vulnerability reports as 56 follows: 57 58 1. The Greenplum project team will investigate the vulnerability and determine 59 its effects and criticality. 60 2. If the issue is not deemed to be a vulnerability, the Greenplum project team 61 will follow up with a detailed reason for rejection. 62 3. The Greenplum project team will initiate a conversation with the reporter 63 promptly. 64 4. If a vulnerability is acknowledged and the timeline for a fix is determined, 65 the Greenplum project team will work on a plan to communicate with the 66 appropriate community, including identifying mitigating steps that affected 67 users can take to protect themselves until the fix is rolled out. 68 5. The Greenplum project team will also create a 69 [CVSS](https://www.first.org/cvss/specification-document) using the [CVSS 70 Calculator](https://www.first.org/cvss/calculator/3.0). The Greenplum project 71 team makes the final call on the calculated CVSS; it is better to move quickly 72 than making the CVSS perfect. Issues may also be reported to 73 [Mitre](https://cve.mitre.org/) using this [scoring 74 calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The CVE will 75 initially be set to private. 76 6. The Greenplum project team will work on fixing the vulnerability and perform 77 internal testing before preparing to roll out the fix. 78 7. A public disclosure date is negotiated by the Greenplum Database project 79 team, and the bug submitter. We prefer to fully disclose the bug as soon as 80 possible once a user mitigation or patch is available. It is reasonable to 81 delay disclosure when the bug or the fix is not yet fully understood, or the 82 solution is not well-tested. The timeframe for disclosure is from immediate 83 (especially if it’s already publicly known) to a few weeks. The Greenplum 84 Database project team holds the final say when setting a public disclosure 85 date. 86 8. Once the fix is confirmed, the Greenplum project team will patch the 87 vulnerability in the next patch or minor release, and backport a patch release 88 into earlier supported releases as necessary. Upon release of the patched 89 version of Greenplum Database, we will follow the **Public Disclosure 90 Process**. 91 92 ## Public Disclosure Process 93 94 The Greenplum project team publishes a [public 95 advisory](https://github.com/greenplum-db/gpdb/security/advisories?state=published) 96 to the Greenplum Database community via GitHub. In most cases, additional 97 communication via Slack, Twitter, mailing lists, blog and other channels will 98 assist in educating Greenplum Database users and rolling out the patched 99 release to affected users. 100 101 The Greenplum project team will also publish any mitigating steps users can 102 take until the fix can be applied to their Greenplum Database instances. 103 104 ## Mailing lists 105 106 * Use security@greenplum.org to report security concerns to the Greenplum 107 Database project team, who uses the list to privately discuss security issues 108 and fixes prior to disclosure. 109 110 ## Confidentiality, integrity and availability 111 112 We consider vulnerabilities leading to the compromise of data confidentiality, 113 elevation of privilege, or integrity to be our highest priority concerns. 114 Availability, in particular in areas relating to DoS and resource exhaustion, 115 is also a serious security concern. The Greenplum Database project team takes 116 all vulnerabilities, potential vulnerabilities, and suspected vulnerabilities 117 seriously and will investigate them in an urgent and expeditious manner. 118 119 Note that we do not currently consider the default settings for Greenplum 120 Database to be secure-by-default. It is necessary for operators to explicitly 121 configure settings, role based access control, and other resource related 122 features in Greenplum Database to provide a hardened Greenplum Database 123 environment. We will not act on any security disclosure that relates to a lack 124 of safe defaults. Over time, we will work towards improved safe-by-default 125 configuration, taking into account backwards compatibility.