github.com/opentofu/opentofu@v1.7.1/SECURITY.md (about) 1 # Security Reporting Process 2 3 Please report any security issue via 4 [Private Vulnerability Reporting](https://github.com/opentofu/opentofu/security/advisories/new) where the issue will be triaged appropriately. 5 Thank you in advance for helping to keep OpenTofu secure. 6 7 # Security Release Process 8 9 OpenTofu is a large growing community of volunteers, users, and vendors. The OpenTofu community has 10 adopted this security disclosure and response policy to ensure we responsibly handle critical 11 issues. 12 13 ## Product Security Team (PST) 14 15 Security vulnerabilities should be handled quickly and sometimes privately. The primary goal of this 16 process is to reduce the total time users are vulnerable to publicly known exploits. 17 18 The Product Security Team (PST) is responsible for organizing the entire response including internal 19 communication and external disclosure but will need help from relevant developers to successfully 20 run this process. 21 22 The initial Product Security Team will consist of members of Steering Committee and Core Development Team. In the future we may 23 decide to have a subset of maintainers work on security response given that this process is time 24 consuming. 25 26 ## Disclosures 27 28 ### Private Disclosure Processes 29 30 The OpenTofu community asks that all suspected vulnerabilities be privately and responsibly disclosed 31 via the [reporting policy](README.md#reporting-security-vulnerabilities). 32 33 ### Public Disclosure Processes 34 35 If you know of a publicly disclosed security vulnerability please IMMEDIATELY submit a report via 36 [Private Vulnerability Reporting](https://github.com/opentofu/opentofu/security/advisories/new) to inform the Product 37 Security Team (PST) about the vulnerability so they may start the patch, release, and communication 38 process. 39 40 If possible the PST will ask the person making the public report if the issue can be handled via a 41 private disclosure process (for example if the full exploit details have not yet been published). If 42 the reporter denies the request for private disclosure, the PST will move swiftly with the fix and 43 release process. In extreme cases GitHub can be asked to delete the issue but this generally isn't 44 necessary and is unlikely to make a public disclosure less damaging. 45 46 ## Patch, Release, and Public Communication 47 48 For each vulnerability a member of the PST will volunteer to lead coordination with the "Fix Team" 49 and is responsible for sending disclosure emails to the rest of the community. This lead will be 50 referred to as the "Fix Lead." 51 52 The role of Fix Lead should rotate round-robin across the PST. 53 54 Note that given the current size of the OpenTofu community it is likely that the PST is the same as 55 the "Fix team." (I.e., all maintainers). The PST may decide to bring in additional contributors 56 for added expertise depending on the area of the code that contains the vulnerability. 57 58 The Fix Lead drives the schedule using their best judgment based on severity and development time. If the Fix Lead is 59 dealing with a public disclosure all timelines become ASAP (assuming the vulnerability has a CVSS 60 score >= 4). If the fix relies on another upstream project's disclosure timeline, that 61 will adjust the process as well. We will work with the upstream project to fit their timeline and 62 best protect our users.