- Please report potential security vulnerabilities using GitHub's private vulnerability reporting. Make sure to not disclose this information in public.
- Provide a detailed description of the potential vulnerability, ensuring you include steps that can help in reproducing the issue.
We will make every effort to response to and resolve security issues in a timely manner. To that end our goals when handling security issues are:
- Acknowledge every report within three working days.
- Assess the report, evaluate its impact and severity, and determine its authenticity providing an new update within five working days.
- Work diligently to address any verified vulnerabilities. While the time to deliver a fix will vary depending on complexity, throughout this process, we'll provide timely updates on our progress until resolution.
- Once the vulnerability has been fixed, make a public announcement crediting you for the discovery (unless you wish to remain anonymous).
Upon confirmation of a security issue, our approach is:
- Verify the vulnerability and determine affected versions.
- Develop a fix or a workaround.
- Upon a successful fix or workaround, inform the community through a public advisory.
Security fixes are made available in the latest major version and backported to older versions per the BeeGFS support policy
To help prevent security vulnerabilities, we:
-
Regularly review and update our dependencies using Dependabot and CodeQL.
-
Adhere to best coding practices and conduct regular code reviews.
-
Actively seek feedback and input from our developer community on security matters.
We're thankful to our community for their active involvement in enhancing the safety of our project. Those who've identified vulnerabilities are recognized in our release notes, unless they've opted for anonymity.