- Please report potential security vulnerabilities using GitHub's private vulnerability reporting. Make sure to not disclose this information in public.
- Provide a detailed description of the potential vulnerability, ensuring you include steps that can help in reproducing the issue.
While the BeeGFS CSI Driver is an open source project and support for the driver is "best effort", we will make every effort to response to and resolve security issues in a timely manner. To that end our goals when handling security issues are:
- Acknowledge every report within three working days.
- Assess the report, evaluate its impact and severity, and determine its authenticity providing an new update within five working days.
- Work diligently to address any verified vulnerabilities. While the time to deliver a fix will vary depending on complexity, throughout this process, we'll provide timely updates on our progress until resolution.
- Once the vulnerability has been fixed, we will make a public announcement crediting you for the discovery (unless you wish to remain anonymous).
Upon confirmation of a security issue, our approach is:
- Verify the vulnerability and determine affected versions.
- Develop a fix or a workaround.
- Upon a successful fix or workaround, inform the community through a public advisory.
Only the latest version of the BeeGFS CSI driver is supported with security updates. Users are urged to always use the latest version and generally fixes are not backported to older versions per our support policy
To help prevent security vulnerabilities, we:
-
Regularly review and update our dependencies using Dependabot and CodeQL.
-
Adhere to best coding practices and conduct regular code reviews.
-
Actively seek feedback and input from our developer community on security matters.
We're thankful to our community for their active involvement in enhancing the safety of our project. Those who've identified vulnerabilities are recognized in the CHANGELOG, unless they've opted for anonymity.