github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/VULNERABILITY_REPORT.md (about) 1 # Vulnerability Management Policy 2 3 This document formally describes the process of addressing and managing a 4 reported vulnerability that has been found in the MinIO server code base, 5 any directly connected ecosystem component or a direct / indirect dependency 6 of the code base. 7 8 ## Scope 9 10 The vulnerability management policy described in this document covers the 11 process of investigating, assessing and resolving a vulnerability report 12 opened by a MinIO employee or an external third party. 13 14 Therefore, it lists pre-conditions and actions that should be performed to 15 resolve and fix a reported vulnerability. 16 17 ## Vulnerability Management Process 18 19 The vulnerability management process requires that the vulnerability report 20 contains the following information: 21 22 - The project / component that contains the reported vulnerability. 23 - A description of the vulnerability. In particular, the type of the 24 reported vulnerability and how it might be exploited. Alternatively, 25 a well-established vulnerability identifier, e.g. CVE number, can be 26 used instead. 27 28 Based on the description mentioned above, a MinIO engineer or security team 29 member investigates: 30 31 - Whether the reported vulnerability exists. 32 - The conditions that are required such that the vulnerability can be exploited. 33 - The steps required to fix the vulnerability. 34 35 In general, if the vulnerability exists in one of the MinIO code bases 36 itself - not in a code dependency - then MinIO will, if possible, fix 37 the vulnerability or implement reasonable countermeasures such that the 38 vulnerability cannot be exploited anymore.