github.com/opentofu/opentofu@v1.7.1/SECURITY.md

github.com/opentofu/opentofu@v1.7.1/SECURITY.md (about)

     1  # Security Reporting Process
     2  
     3  Please report any security issue via
     4  [Private Vulnerability Reporting](https://github.com/opentofu/opentofu/security/advisories/new) where the issue will be triaged appropriately.
     5  Thank you in advance for helping to keep OpenTofu secure.
     6  
     7  # Security Release Process
     8  
     9  OpenTofu is a large growing community of volunteers, users, and vendors. The OpenTofu community has
    10  adopted this security disclosure and response policy to ensure we responsibly handle critical
    11  issues.
    12  
    13  ## Product Security Team (PST)
    14  
    15  Security vulnerabilities should be handled quickly and sometimes privately. The primary goal of this
    16  process is to reduce the total time users are vulnerable to publicly known exploits.
    17  
    18  The Product Security Team (PST) is responsible for organizing the entire response including internal
    19  communication and external disclosure but will need help from relevant developers to successfully
    20  run this process.
    21  
    22  The initial Product Security Team will consist of members of Steering Committee and Core Development Team. In the future we may
    23  decide to have a subset of maintainers work on security response given that this process is time
    24  consuming.
    25  
    26  ## Disclosures
    27  
    28  ### Private Disclosure Processes
    29  
    30  The OpenTofu community asks that all suspected vulnerabilities be privately and responsibly disclosed
    31  via the [reporting policy](README.md#reporting-security-vulnerabilities).
    32  
    33  ### Public Disclosure Processes
    34  
    35  If you know of a publicly disclosed security vulnerability please IMMEDIATELY submit a report via
    36  [Private Vulnerability Reporting](https://github.com/opentofu/opentofu/security/advisories/new) to inform the Product
    37  Security Team (PST) about the vulnerability so they may start the patch, release, and communication
    38  process.
    39  
    40  If possible the PST will ask the person making the public report if the issue can be handled via a
    41  private disclosure process (for example if the full exploit details have not yet been published). If
    42  the reporter denies the request for private disclosure, the PST will move swiftly with the fix and
    43  release process. In extreme cases GitHub can be asked to delete the issue but this generally isn't
    44  necessary and is unlikely to make a public disclosure less damaging.
    45  
    46  ## Patch, Release, and Public Communication
    47  
    48  For each vulnerability a member of the PST will volunteer to lead coordination with the "Fix Team"
    49  and is responsible for sending disclosure emails to the rest of the community. This lead will be
    50  referred to as the "Fix Lead."
    51  
    52  The role of Fix Lead should rotate round-robin across the PST.
    53  
    54  Note that given the current size of the OpenTofu community it is likely that the PST is the same as
    55  the "Fix team." (I.e., all maintainers). The PST may decide to bring in additional contributors
    56  for added expertise depending on the area of the code that contains the vulnerability.
    57  
    58  The Fix Lead drives the schedule using their best judgment based on severity and development time. If the Fix Lead is
    59  dealing with a public disclosure all timelines become ASAP (assuming the vulnerability has a CVSS
    60  score >= 4). If the fix relies on another upstream project's disclosure timeline, that
    61  will adjust the process as well. We will work with the upstream project to fit their timeline and
    62  best protect our users.