Security Reporting: Difference between revisions
m (→Infrastructure Issues: wording) |
No edit summary |
||
Line 1: | Line 1: | ||
__NOTOC__ | |||
Proxmox Server Solutions takes security of its projects seriously. | Proxmox Server Solutions takes security of its projects seriously. | ||
As such, we'd like to know when a security bug is found so that it can be fixed and disclosed in a timely manner. | As such, we'd like to know when a security bug is found so that it can be fixed and disclosed in a timely manner. |
Revision as of 12:15, 20 November 2022
Proxmox Server Solutions takes security of its projects seriously.
As such, we'd like to know when a security bug is found so that it can be fixed and disclosed in a timely manner.
Note that we only support the latest point release, where the version is not yet EOL (End of Life). So, before reporting, please verify that the issue is present in a release that is still supported. For that, consider the following support timeline tables:
- Proxmox VE: https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
- Proxmox Backup Server: https://pbs.proxmox.com/docs/faq.html#how-long-will-my-proxmox-backup-server-version-be-supported
- Proxmox Mail Gateway: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#faq-support-table
Contact
Please report security bugs to the Proxmox security team by email at <security@proxmox.com>.
Include all relevant information required to reproduce the issue.
Any exploit code is considered helpful - we will treat such samples as private and won't publish them. If you or your organization already assembled a fix and has signed our CLA please send that along as patch, as that can speed up the process considerably.
Please send plain text emails without attachments where possible. It is much harder to have a context-quoted discussion about a complex issue if all the details are hidden away in attachments.
We will normally send out an initial confirmation mail about the reception of a report within the next (Austrian) business day.
If you must send highly confidential information you may use the following public GPG key, with fingerprint E679 2AA6 98E1 1855 375A B9E3 5D0C BD43 61F2 04C5
to encrypt the message.
pub rsa4096 2022-09-01 [expires: 2032-08-29] E6792AA698E11855375AB9E35D0CBD4361F204C5 uid Proxmox Security Team <security@proxmox.com> -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGMQ2moBEACiyToARfkvOCeCTB8f5vVFSBJ5Shh7RUSXt4UQLa/FMjFKp9ZA YV6n3kcLkLOxZGFMruI7zlQD31tu2pApPP8NKCjeZwg2dqS72F29xQdDDY4UlxjX T5UckNtKY6Uqlarrd2cMFL5bUsM47LaTt/EtBFdhl4YiW2i6Z7FtR2MKZtEZnb3s x31XrWUh9mGyJ+gZyHmNOn9HrUf4LCo+HDqirAMiuJiVnCHVIbhOgVf1jHNuYfKU cyaxXbhfqdWuWkc0K7+2+ClaiKrifEbQ56SbnrYEmCOl2WB1vF4GuPCN4rRByLBa cfI1GQlChZtXBpDKwZYTm4OxUfouRb7F1Dc19zejqSUHO+rCKseXMM45YSs48jJU LYjSa7FQTaHjpN1M7Zoz/P5bgbBd4pAXF5BdBekuQRc0P3VzTLISDXKTSJ6mvTk3 hcMk7Wr6KGeUt0ftP1AblRvGdeQ8w8VVgEqc+yAozFguRTUmpvEo+714Ak+MyFm8 FXMdwRetnJ7IVsPxaQIzHjWoWPGAKhXecmi/uLC8caU4+vlNsFT87GMz7mOuyDhK n+8fIbn7IRvuJXjQB73eQS+My+9jLGK6UjIAz8MmA0LumZ6sfunevAyDqSc/lGkc Jcore+Qb3AC0excFCbgND31+i/iJHXIbSe7Fra/9zN+GodAjnXnQn2HHLQARAQAB tCxQcm94bW94IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHByb3htb3guY29tPokC VAQTAQoAPhYhBOZ5KqaY4RhVN1q5410MvUNh8gTFBQJjENpqAhsvBQkSzAMABQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF0MvUNh8gTFkvwP/0B+RNoTHbMRaaNz RGl6sAshc6DOxCqxjCibWfiRr0pXADzL+NdNDyRsPY+i9Q+QQukF1PvPx9HBf4bu 3gcJ5cVbi9/nYH4BiWNM0z8HDoYto3PpCDLK944dbUV4OfnYp3rp8GkMLq7CUB9l Hji7m63bGXuB+Rc/iEFoNKXtYh7fZIq8WiWDwOVdyslc/wC3RjbEPhXts3SHntXl y5Qdr1WEcFLW6GjfMUeJR5Oy3XccfKVPKhoNgGqrUqaN0PCQsQWCJ6czc0uGzP1p EFu8ct5C71/iZ0eak84SRf8cQxN2gwTb40rAkNIq3msCT8oaSc2vZQ0X+S0+Abq4 5YOkNlCQB9f7XOKCTajjiYlElXw4H4X0uO4uKQbCBeXBI3HktivpQ1rEadXJiCl/ eayeN6nBdOkupev73g3xVXCyI+QFd4IVufTqi1m857f3dNv/suHLj/Upd6q8rmqq M5s+e+3qUiAhEoB7sSCsXCh60SnDGYHsRa33F2Fz8pPpmuboW55z8OOaAgrVt/TB oZJdTzUCx77HXKMvlulZkjfuWzOB+qh6CR+bzNWzVyD3yYpNbH0UF+vBZ3sYb7Al /rAorlMz/gybSdrilHoxz2w9grcrTg6jk/dLwesCm1bzJKznEFVHQv/Mk+Kt+ZQ4 /pfx41HDLtAoGfQBWxjy8n2Qrk8l =UVAu -----END PGP PUBLIC KEY BLOCK-----
Additionally available to download in binary format from the enterprise CDN.
Disclosure and Embargoed Information
Once a robust fix has been developed, the release process starts. Proxmox Server Solutions will release fixes for publicly undisclosed bugs as soon as they become available, but we can hold back sensible information from commits and change logs at the requests of the reporter or an affected party.
CVE assignment
The security team does not normally assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling.
We would still appreciate if you notify us about any assigned ID, for coordination and communication purpose.
Infrastructure Issues
If you found an issue within our infrastructure's software we'd appreciate if you use one of the following approaches, depending on the kind of bug in question:
- for bugs in the underlying software we recommend contacting the respective upstream, if that isn't active anymore it can make sense to give our security team a heads-up
- for configuration bugs, you can follow the standard reporting procedure above and contact us via email
- Please note, however, that problems found by automatic scanners are often either outdated practices or have little practical impact (e.g., on websites where the browser can already take care of protection itself).
- Some scanners also report our email settings as problematic, but they are deliberately chosen because we also operate various email services such as mailing lists that require special attention.
Bug Bounties
Proxmox Server Solutions GmbH currently does not offer paid bug bounties. We understand that security research takes a lot of effort, and we'll periodically evaluate if we can allocate some funding in the future.