github.com/minio/console@v1.4.1/VULNERABILITY_REPORT.md (about)

     1  ## Vulnerability Management Policy
     2  
     3  This document formally describes the process of addressing and managing a
     4  reported vulnerability that has been found in the MinIO Console server code base,
     5  any directly connected ecosystem component or a direct / indirect dependency
     6  of the code base.
     7  
     8  ### Scope
     9  
    10  The vulnerability management policy described in this document covers the
    11  process of investigating, assessing and resolving a vulnerability report
    12  opened by a MinIO Console employee or an external third party.
    13  
    14  Therefore, it lists pre-conditions and actions that should be performed to
    15  resolve and fix a reported vulnerability.
    16  
    17  ### Vulnerability Management Process
    18  
    19  The vulnerability management process requires that the vulnerability report
    20  contains the following information:
    21  
    22   - The project / component that contains the reported vulnerability.
    23   - A description of the vulnerability. In particular, the type of the
    24     reported vulnerability and how it might be exploited. Alternatively,
    25     a well-established vulnerability identifier, e.g. CVE number, can be
    26     used instead.
    27  
    28  Based on the description mentioned above, a MinIO Console engineer or security team
    29  member investigates:
    30  
    31   - Whether the reported vulnerability exists.
    32   - The conditions that are required such that the vulnerability can be exploited.
    33   - The steps required to fix the vulnerability.
    34  
    35  In general, if the vulnerability exists in one of the MinIO Console code bases
    36  itself - not in a code dependency - then MinIO Console will, if possible, fix
    37  the vulnerability or implement reasonable countermeasures such that the
    38  vulnerability cannot be exploited anymore.