Security Reporting

From Proxmox VE
Revision as of 13:15, 20 November 2022 by Thomas Lamprecht (talk | contribs)
Jump to navigation Jump to search


Proxmox Server Solutions takes security of its projects seriously. As such, we'd like to know when a security bug is found so that it can be fixed and disclosed in a timely manner.

Note that we only support the latest point release, where the version is not yet EOL (End of Life). So, before reporting, please verify that the issue is present in a release that is still supported. For that, consider the following support timeline tables:

Contact

Please report security bugs to the Proxmox security team by email at <security@proxmox.com>.

Include all relevant information required to reproduce the issue.

Any exploit code is considered helpful - we will treat such samples as private and won't publish them. If you or your organization already assembled a fix and has signed our CLA please send that along as patch, as that can speed up the process considerably.

Please send plain text emails without attachments where possible. It is much harder to have a context-quoted discussion about a complex issue if all the details are hidden away in attachments.

We will normally send out an initial confirmation mail about the reception of a report within the next (Austrian) business day.

If you must send highly confidential information you may use the following public GPG key, with fingerprint E679 2AA6 98E1 1855 375A B9E3 5D0C BD43 61F2 04C5 to encrypt the message.

pub   rsa4096 2022-09-01 [expires: 2032-08-29]
      E6792AA698E11855375AB9E35D0CBD4361F204C5
uid                      Proxmox Security Team <security@proxmox.com>

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGMQ2moBEACiyToARfkvOCeCTB8f5vVFSBJ5Shh7RUSXt4UQLa/FMjFKp9ZA
YV6n3kcLkLOxZGFMruI7zlQD31tu2pApPP8NKCjeZwg2dqS72F29xQdDDY4UlxjX
T5UckNtKY6Uqlarrd2cMFL5bUsM47LaTt/EtBFdhl4YiW2i6Z7FtR2MKZtEZnb3s
x31XrWUh9mGyJ+gZyHmNOn9HrUf4LCo+HDqirAMiuJiVnCHVIbhOgVf1jHNuYfKU
cyaxXbhfqdWuWkc0K7+2+ClaiKrifEbQ56SbnrYEmCOl2WB1vF4GuPCN4rRByLBa
cfI1GQlChZtXBpDKwZYTm4OxUfouRb7F1Dc19zejqSUHO+rCKseXMM45YSs48jJU
LYjSa7FQTaHjpN1M7Zoz/P5bgbBd4pAXF5BdBekuQRc0P3VzTLISDXKTSJ6mvTk3
hcMk7Wr6KGeUt0ftP1AblRvGdeQ8w8VVgEqc+yAozFguRTUmpvEo+714Ak+MyFm8
FXMdwRetnJ7IVsPxaQIzHjWoWPGAKhXecmi/uLC8caU4+vlNsFT87GMz7mOuyDhK
n+8fIbn7IRvuJXjQB73eQS+My+9jLGK6UjIAz8MmA0LumZ6sfunevAyDqSc/lGkc
Jcore+Qb3AC0excFCbgND31+i/iJHXIbSe7Fra/9zN+GodAjnXnQn2HHLQARAQAB
tCxQcm94bW94IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHByb3htb3guY29tPokC
VAQTAQoAPhYhBOZ5KqaY4RhVN1q5410MvUNh8gTFBQJjENpqAhsvBQkSzAMABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEF0MvUNh8gTFkvwP/0B+RNoTHbMRaaNz
RGl6sAshc6DOxCqxjCibWfiRr0pXADzL+NdNDyRsPY+i9Q+QQukF1PvPx9HBf4bu
3gcJ5cVbi9/nYH4BiWNM0z8HDoYto3PpCDLK944dbUV4OfnYp3rp8GkMLq7CUB9l
Hji7m63bGXuB+Rc/iEFoNKXtYh7fZIq8WiWDwOVdyslc/wC3RjbEPhXts3SHntXl
y5Qdr1WEcFLW6GjfMUeJR5Oy3XccfKVPKhoNgGqrUqaN0PCQsQWCJ6czc0uGzP1p
EFu8ct5C71/iZ0eak84SRf8cQxN2gwTb40rAkNIq3msCT8oaSc2vZQ0X+S0+Abq4
5YOkNlCQB9f7XOKCTajjiYlElXw4H4X0uO4uKQbCBeXBI3HktivpQ1rEadXJiCl/
eayeN6nBdOkupev73g3xVXCyI+QFd4IVufTqi1m857f3dNv/suHLj/Upd6q8rmqq
M5s+e+3qUiAhEoB7sSCsXCh60SnDGYHsRa33F2Fz8pPpmuboW55z8OOaAgrVt/TB
oZJdTzUCx77HXKMvlulZkjfuWzOB+qh6CR+bzNWzVyD3yYpNbH0UF+vBZ3sYb7Al
/rAorlMz/gybSdrilHoxz2w9grcrTg6jk/dLwesCm1bzJKznEFVHQv/Mk+Kt+ZQ4
/pfx41HDLtAoGfQBWxjy8n2Qrk8l
=UVAu
-----END PGP PUBLIC KEY BLOCK-----

Additionally available to download in binary format from the enterprise CDN.

Disclosure and Embargoed Information

Once a robust fix has been developed, the release process starts. Proxmox Server Solutions will release fixes for publicly undisclosed bugs as soon as they become available, but we can hold back sensible information from commits and change logs at the requests of the reporter or an affected party.

CVE assignment

The security team does not normally assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling.

We would still appreciate if you notify us about any assigned ID, for coordination and communication purpose.

Infrastructure Issues

If you found an issue within our infrastructure's software we'd appreciate if you use one of the following approaches, depending on the kind of bug in question:

  • for bugs in the underlying software we recommend contacting the respective upstream, if that isn't active anymore it can make sense to give our security team a heads-up
  • for configuration bugs, you can follow the standard reporting procedure above and contact us via email
Please note, however, that problems found by automatic scanners are often either outdated practices or have little practical impact (e.g., on websites where the browser can already take care of protection itself).
Some scanners also report our email settings as problematic, but they are deliberately chosen because we also operate various email services such as mailing lists that require special attention.

Bug Bounties

Proxmox Server Solutions GmbH currently does not offer paid bug bounties. We understand that security research takes a lot of effort, and we'll periodically evaluate if we can allocate some funding in the future.