Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security vulnerability FAQs to README.md #433

Closed
wants to merge 2 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,16 @@ For more info on the FIPS provider see: https://github.com/openssl/openssl/blob/

## Security

### What is the image security vulnerability scanning process?
SageMaker Distribution images have ECR enhanced scanningenabled for detecting Common Vulnerabilities and Exposures (CVE). CVE is a list of publicly known information about security vulnerability and exposure. The National Vulnerability Database (NVD) provides CVE details such as severity, impact rating, and fix information. Both CVE and NVD are available for public consumption and free for security tools and services to use. For more information, see CVE Frequently Asked Questions (FAQs). The scan will be executed continuously for all actively supported image versions, and SageMaker will release new image versions to fix the CVEs based on the scanning results.

### How are security issues fixed?
SageMaker team will regularly release new image version with fixes to the security issues. If the security fix requires a minor or major version release, SageMaker team may release ad-hoc versions with the fix. Once a new image version is released, you will be able to pull the latest images with security fixes from our ECR repositories.

### Can I still access the older image versions once a newer image version is released?
We don't take down images once they are released as they would be used by customers and we don't break customers at runtime by removing products. You will still be able to pull older images from our ECR repositories. However, it is highly recommended for you to consume the latest image versions to obtain the most up-to-date functionalities, security patches, and more.


See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.

## License
Expand Down