Skip to content

Security: NilsPur/firewall-orchestrator

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

We’re extremely grateful for security researchers and users that report vulnerabilities to the Firewall Orchestrator Community. All reports are thoroughly investigated by the Firewall Orchestrator team.

In case you discover a security issue/vulnerability, please contact [email protected] with all the details, attaching necessary information if possible.

Do not open an issue!

When Should I Report a Vulnerability?

  • You think you have discovered a potential security vulnerability in Firewall Orchestrator.
  • You are unsure how a vulnerability affects Firewall Orchestrator.

When Should I NOT Report a Vulnerability?

  • You need help with tuning Firewall Orchestrator components for security.
  • You need help applying security related updates.
  • Your issue is not security related.

Security Vulnerability Response

Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days.

The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).

Public Disclosure Timing

A public disclosure date is negotiated by the security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Firewall Orchestrator maintainers and the security team will take the final call on setting a disclosure date.

(Some sections have been inspired and adapted from https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md).

Supported Versions

Version Supported
1.x
2.x
3.x
4.x ✅ (until 2022-12-31)
5.x

There aren’t any published security advisories