We realize that CloudStack is considered critical infrastructure in many organizations, and as such these organizations need as much advance notice on security issues as possible so they can respond in a timely manner. With this end, a "pre-disclosure" list was created.

This list contains the email addresses of the security response teams for significant CloudStack distributors.  This includes both corporations and community institutions.  The purpose of the pre-disclosure list is to enable the CloudStack project and distributors to participate in a bi-directional information sharing agreement for vulnerabilities.  By joining the pre-disclosure list the organization and ACS mutually agree to jointly share vulnerability information that is originally reported to them, jointly verify and fix issues, and jointly (simultaneously) make vulnerability announcements and hot-fix releases (if warranted) to the public.  The ACS and organizations on the pre-disclosure list are also expected to be reasonably responsive, with a guided expectation of 2-4 weeks to verify issues and release fixes (if warranted).  Response times should be discussed and agreed upon depending on the issue severity.

Pre-disclosure list members are expected to maintain the confidentiality of the vulnerability up to the embargo date that has been agreed to with the discoverer. Prior to the embargo date, pre-disclosure list members should not make available, even to their own customers and partners:

  • The ASF advisory
  • Their own advisory
  • The impact, scope, set of vulnerable systems or the nature of the vulnerability
  • Revision control commits which are a fix for the problem
  • Patched software (even in binary form) without prior consultation with the Security Team

List members are allowed to make available to their users only the following:

  • The existence of an issue
  • The assigned CVE numbers
  • The planned disclosure date

List Membership

The Security Team defines which organizations are admitted to the pre-disclosure list.  Generally, well-established organizations with a mature security response process will be considered on a case-by-case basis.  Organizations that meet the criteria should contact security@cloudstack.apache.org  if they wish to participate in the pre-disclosure activities.  The list of entities on the pre-disclosure list is public. No organization may privately receive pre-disclosure information.

This is a list of organizations on the pre-disclosure list

  • Accelerite
  • Exoscale
  • No labels