|
1 | | -# Wolfi security information |
| 1 | +# Security Policy |
2 | 2 |
|
3 | | -## Reporting security incidents to Wolfi |
| 3 | +## Reporting a Vulnerability |
4 | 4 |
|
5 | | -At present, Wolfi's security incidents are handled by the Chainguard security team. |
| 5 | +Thank you for taking the time to disclose a potential security issue. |
6 | 6 |
|
7 | | -### Your concern is about CVE scanner results, missing CVE patches, etc. |
| 7 | +Please report vulnerabilities via email to [[email protected]](mailto:[email protected]). |
8 | 8 |
|
9 | | -**Please note that the bootstrap repositories are unsuitable for production |
10 | | -use and for the most part do not receive security fixes. |
11 | | -Security maintenance is only provided for the production repositories.** |
| 9 | +To assist our triage, please include: |
| 10 | +- A clear description of the issue and its potential impact. |
| 11 | +- Steps to reproduce or proof-of-concept if available. |
| 12 | +- Affected versions or commit hashes. |
| 13 | +- Any known mitigations or fixes. |
| 14 | +- How you would like to be credited if attribution is desired (e.g., name, known handle). |
12 | 15 |
|
13 | | -Please open an issue in the [os](https://github.com/wolfi-dev/os/issues/new) repository |
14 | | -against the package which is flagged by a CVE scanner or is missing a CVE patch. |
| 16 | +## Disclosure Policy |
15 | 17 |
|
16 | | -These issues will be triaged as normal. |
| 18 | +We are grateful when vulnerabilities are reported to us. |
17 | 19 |
|
18 | | -### Your concern is about anything else or otherwise concerns embargoed data |
| 20 | +As a reporter, you can expect: |
| 21 | +- A prompt acknowledgment of your report (within 72 hours). |
| 22 | +- A transparent dialog and timely fix for valid issues. |
| 23 | +- Credit for disclosure, if desired. |
19 | 24 |
|
20 | | -Please write to <[email protected]>, outlining the concern and explicitly note |
21 | | -that the concern is about Wolfi. |
22 | | - |
23 | | -## Retrieving security feeds from Wolfi |
24 | | - |
25 | | -Wolfi provides CVE remediation feeds for its production repositories, which may be |
26 | | -used for any purpose without any royalty, provided that attribution is provided to |
27 | | -the Wolfi project. |
28 | | - |
29 | | -The present feeds offered are: |
30 | | - |
31 | | -* [`https://packages.wolfi.dev/os/security.json`](https://packages.wolfi.dev/os/security.json), |
32 | | - a feed for the production Wolfi `os` repository. |
33 | | - |
34 | | -These feeds contain a list of `package` objects under `packages`, which contain a mapping |
35 | | -of versions and security issue identifiers (e.g. `CVE-XXXX-YYYYY`). An example `package` |
36 | | -object is: |
37 | | - |
38 | | -```json |
39 | | -{ |
40 | | - "pkg": { |
41 | | - "name": "binutils", |
42 | | - "secfixes": { |
43 | | - "2.39-r1": [ |
44 | | - "CVE-2022-38126" |
45 | | - ], |
46 | | - "2.39-r2": [ |
47 | | - "CVE-2022-38533" |
48 | | - ] |
49 | | - } |
50 | | - } |
51 | | -} |
52 | | -``` |
53 | | - |
54 | | -This format is used across APK distributions, including Alpine and others, so your |
55 | | -CVE scanning software likely already understands how to ingest them. |
56 | | - |
57 | | -Please open any requests for improvement to the security feeds to the [Wolfi |
58 | | -security database project](https://github.com/wolfi-dev/secdb). |
| 25 | +Please see the full [Chainguard Vulnerability Disclosure Policy](https://www.chainguard.dev/legal/inbound-vulnerability-disclosure-policy) to learn more. |
0 commit comments