Security Reporting

From Proxmox VE
Revision as of 11:37, 3 November 2022 by Martin (talk | contribs) (added HOWTO category)
Jump to navigation Jump to search

Proxmox Server Solutions takes security seriously. As such, we'd like to know when a security bug is found so that it can be fixed and disclosed in a timely manner.

Note that we only support the latest point release, where the version is not yet EOL (End of Life). So, before reporting, please verify that the issue is present in a release that is still supported. For that, consider the following support timeline tables:

Contact

Please report security bugs to the Proxmox security team by email at <security@proxmox.com>.

Include all relevant information required to reproduce the issue.

Any exploit code is considered helpful - we will treat such samples as private and won't publish them. If you or your organization already assembled a fix and has signed our CLA please send that along as patch, as that can speed up the process considerably.

Please send plain text emails without attachments where possible. It is much harder to have a context-quoted discussion about a complex issue if all the details are hidden away in attachments.

We will normally send out an initial confirmation mail about the reception of a report within the next (Austrian) business day.

If you must send highly confidential information you may use the following public GPG key, with fingerprint E679 2AA6 98E1 1855 375A B9E3 5D0C BD43 61F2 04C5 to encrypt the message.

pub   rsa4096 2022-09-01 [expires: 2032-08-29]
      E6792AA698E11855375AB9E35D0CBD4361F204C5
uid                      Proxmox Security Team <security@proxmox.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGMQ2moBEACiyToARfkvOCeCTB8f5vVFSBJ5Shh7RUSXt4UQLa/FMjFKp9ZA
YV6n3kcLkLOxZGFMruI7zlQD31tu2pApPP8NKCjeZwg2dqS72F29xQdDDY4UlxjX
T5UckNtKY6Uqlarrd2cMFL5bUsM47LaTt/EtBFdhl4YiW2i6Z7FtR2MKZtEZnb3s
x31XrWUh9mGyJ+gZyHmNOn9HrUf4LCo+HDqirAMiuJiVnCHVIbhOgVf1jHNuYfKU
cyaxXbhfqdWuWkc0K7+2+ClaiKrifEbQ56SbnrYEmCOl2WB1vF4GuPCN4rRByLBa
cfI1GQlChZtXBpDKwZYTm4OxUfouRb7F1Dc19zejqSUHO+rCKseXMM45YSs48jJU
LYjSa7FQTaHjpN1M7Zoz/P5bgbBd4pAXF5BdBekuQRc0P3VzTLISDXKTSJ6mvTk3
hcMk7Wr6KGeUt0ftP1AblRvGdeQ8w8VVgEqc+yAozFguRTUmpvEo+714Ak+MyFm8
FXMdwRetnJ7IVsPxaQIzHjWoWPGAKhXecmi/uLC8caU4+vlNsFT87GMz7mOuyDhK
n+8fIbn7IRvuJXjQB73eQS+My+9jLGK6UjIAz8MmA0LumZ6sfunevAyDqSc/lGkc
Jcore+Qb3AC0excFCbgND31+i/iJHXIbSe7Fra/9zN+GodAjnXnQn2HHLQARAQAB
tCxQcm94bW94IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHByb3htb3guY29tPokC
VAQTAQoAPhYhBOZ5KqaY4RhVN1q5410MvUNh8gTFBQJjENpqAhsvBQkSzAMABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF0MvUNh8gTFkvwP/0B+RNoTHbMRaaNz
RGl6sAshc6DOxCqxjCibWfiRr0pXADzL+NdNDyRsPY+i9Q+QQukF1PvPx9HBf4bu
3gcJ5cVbi9/nYH4BiWNM0z8HDoYto3PpCDLK944dbUV4OfnYp3rp8GkMLq7CUB9l
Hji7m63bGXuB+Rc/iEFoNKXtYh7fZIq8WiWDwOVdyslc/wC3RjbEPhXts3SHntXl
y5Qdr1WEcFLW6GjfMUeJR5Oy3XccfKVPKhoNgGqrUqaN0PCQsQWCJ6czc0uGzP1p
EFu8ct5C71/iZ0eak84SRf8cQxN2gwTb40rAkNIq3msCT8oaSc2vZQ0X+S0+Abq4
5YOkNlCQB9f7XOKCTajjiYlElXw4H4X0uO4uKQbCBeXBI3HktivpQ1rEadXJiCl/
eayeN6nBdOkupev73g3xVXCyI+QFd4IVufTqi1m857f3dNv/suHLj/Upd6q8rmqq
M5s+e+3qUiAhEoB7sSCsXCh60SnDGYHsRa33F2Fz8pPpmuboW55z8OOaAgrVt/TB
oZJdTzUCx77HXKMvlulZkjfuWzOB+qh6CR+bzNWzVyD3yYpNbH0UF+vBZ3sYb7Al
/rAorlMz/gybSdrilHoxz2w9grcrTg6jk/dLwesCm1bzJKznEFVHQv/Mk+Kt+ZQ4
/pfx41HDLtAoGfQBWxjy8n2Qrk8l
=UVAu
-----END PGP PUBLIC KEY BLOCK-----

Additionally available to download in binary format from the enterprise CDN.

Disclosure and Embargoed Information

Once a robust fix has been developed, the release process starts. Proxmox Server Solutions will release fixes for publicly undisclosed bugs as soon as they become available, but we can hold back sensible information from commits and change logs at the requests of the reporter or an affected party.

CVE assignment

The security team does not normally assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling.

We would still appreciate if you notify us about any assigned ID, for coordination and communication purpose.