Please open Github issue at https://github.com/minio/directpv/issues
The latest release of DirectPV comes with security and vulnerability fixes in previous releases. It is strongly recommended to use the latest version. Before reporting security/vulnerability issues, make sure those issues are not fixed in the latest release.
All security issues should be reported by email to security@min.io. Your email will be acknowledged within 48 hours, and you'll receive a more detailed response to your email within 72 hours indicating the next steps in handling your report. DO NOT OPEN GITHUB ISSUES for security bugs.
Please, provide a detailed explanation of the issue. In particular, outline the type of the security issue (DoS, authentication bypass, information disclose, ...) and the assumptions you're making (e.g. do you need access credentials for a successful exploit).
If you have not received a reply to your email within 48 hours or you have not heard from the security team for the past five days please contact the security team directly:
- Primary security coordinators: sid@min.io
- Secondary coordinator: harsha@min.io
- If you receive no response: dev@min.io
MinIO uses the following disclosure process:
- Once the security report is received one member of the security team tries to verify and reproduce the issue and determines the impact it has.
- A member of the security team will respond and either confirm or reject the security report. If the report is rejected the response explains why.
- Code is audited to find any potential similar problems.
- Fixes are prepared for the latest release.
- On the date that the fixes are applied a security advisory will be published on https://blog.min.io. Please inform us in your report email whether MinIO should mention your contribution w.r.t. fixing the security issue. By default MinIO will not publish this information to protect your privacy.
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.
This document formally describes the process of addressing and managing a reported vulnerability that has been found in the MinIO server code base, any directly connected ecosystem component or a direct / indirect dependency of the code base.
The vulnerability management policy described in this document covers the process of investigating, assessing and resolving a vulnerability report opened by a MinIO employee or an external third party.
Therefore, it lists pre-conditions and actions that should be performed to resolve and fix a reported vulnerability.
The vulnerability management process requires that the vulnerability report contains the following information:
- The project / component that contains the reported vulnerability.
- A description of the vulnerability. In particular, the type of the reported vulnerability and how it might be exploited. Alternatively, a well-established vulnerability identifier, e.g. CVE number, can be used instead.
Based on the description mentioned above, a MinIO engineer or security team member investigates:
- Whether the reported vulnerability exists.
- The conditions that are required such that the vulnerability can be exploited.
- The steps required to fix the vulnerability.
In general, if the vulnerability exists in one of the MinIO code bases itself - not in a code dependency - then MinIO will, if possible, fix the vulnerability or implement reasonable countermeasures such that the vulnerability cannot be exploited anymore.