minio/VULNERABILITY_REPORT.md

## Vulnerability Management Policy

This document formally describes the process of addressing and managing a
reported vulnerability that has been found in the MinIO server code base,
any directly connected ecosystem component or a direct / indirect dependency
of the code base.

### Scope

The vulnerability management policy described in this document covers the
process of investigating, assessing and resolving a vulnerability report
opened by a MinIO employee or an external third party.

Therefore, it lists pre-conditions and actions that should be performed to
resolve and fix a reported vulnerability.

### Vulnerability Management Process

The vulnerability management process requires that the vulnerability report
contains the following information:

 - The project / component that contains the reported vulnerability.
 - A description of the vulnerability. In particular, the type of the
   reported vulnerability and how it might be exploited. Alternatively,
   a well-established vulnerability identifier, e.g. CVE number, can be
   used instead.

Based on the description mentioned above, a MinIO engineer or security team
member investigates:

 - Whether the reported vulnerability exists.
 - The conditions that are required such that the vulnerability can be exploited.
 - The steps required to fix the vulnerability.

In general, if the vulnerability exists in one of the MinIO code bases
itself - not in a code dependency - then MinIO will, if possible, fix
the vulnerability or implement reasonable countermeasures such that the
vulnerability cannot be exploited anymore.
add vulnerability report policy (#11084) 4 years ago			`## Vulnerability Management Policy`

			`This document formally describes the process of addressing and managing a`
			`reported vulnerability that has been found in the MinIO server code base,`
			`any directly connected ecosystem component or a direct / indirect dependency`
			`of the code base.`

			`### Scope`

			`The vulnerability management policy described in this document covers the`
			`process of investigating, assessing and resolving a vulnerability report`
			`opened by a MinIO employee or an external third party.`

			`Therefore, it lists pre-conditions and actions that should be performed to`
			`resolve and fix a reported vulnerability.`

			`### Vulnerability Management Process`

			`The vulnerability management process requires that the vulnerability report`
			`contains the following information:`

			`- The project / component that contains the reported vulnerability.`
			`- A description of the vulnerability. In particular, the type of the`
			`reported vulnerability and how it might be exploited. Alternatively,`
			`a well-established vulnerability identifier, e.g. CVE number, can be`
			`used instead.`

			`Based on the description mentioned above, a MinIO engineer or security team`
			`member investigates:`

			`- Whether the reported vulnerability exists.`
			`- The conditions that are required such that the vulnerability can be exploited.`
			`- The steps required to fix the vulnerability.`

			`In general, if the vulnerability exists in one of the MinIO code bases`
			`itself - not in a code dependency - then MinIO will, if possible, fix`
			`the vulnerability or implement reasonable countermeasures such that the`
			`vulnerability cannot be exploited anymore.`