Salt Security
Saltproject.io
External Program
Submit bugs directly to this organization
Salt Security
Saltproject.io
External Program
Submit bugs directly to this organization
The SaltStack Security Team is available at [email protected] for security-related bug reports or questions.
We request the disclosure of any security-related bugs or issues be reported non-publicly until such time as the issue can be resolved and a security-fix release can be prepared. At that time we will release the fix and make a public announcement with upgrade instructions and download locations.
SaltStack takes security and the trust of our customers and users very seriously. Our disclosure policy is intended to resolve security issues as quickly and safely as is possible.
A security report sent to [email protected] is assigned to a team member. This person is the primary contact for questions and will coordinate the fix, release, and announcement.
The reported issue is reproduced and confirmed. A list of affected projects and releases is made.
Fixes are implemented for all affected projects and releases that are actively supported. Back-ports of the fix are made to any old releases that are actively supported.
Packagers are notified via the salt-packagers mailing list that an issue was reported and resolved, and that an announcement is incoming.
A pre-announcement is sent out to the salt-announce mailing list approximately a week before the CVE release. This announcement does not include details of the vulnerability. The pre-announcement will include the date the release will occur and the vulnerability rating.
A new release is created and pushed to all affected repositories. The release documentation provides a full description of the issue, plus any upgrade instructions or other relevant details.
An announcement is made to the salt-users and salt-announce mailing lists. The announcement contains a description of the issue and a link to the full release documentation and download locations.