The Apache CloudStack project understands that as a core infrastructure project, the application security of Apache CloudStack is of critical importance to the community and users.

Apache CloudStack Security Team

The PMC has decided to create a "Security Team" for CloudStack. The Security Team's charter is to manage the response to vulnerabilities reported with Apache CloudStack. This includes communication with the report, issue verification, issue correction, public communication creation, and vendor coordination. The Security Team may ask assistance from other community members to help verify or correct a reported issue.

Members of the PMC are eligible to join the security team, but lurking is discouraged.

Community members engaged by the Security Team are expected to hold the issue in confidence until public announcement of the vulnerability. This protects the users of the software and gives reasonable time for the response process to be implemented. Further information can be found on the ASF's How it Works page.

The CloudStack security team works closely with, and under the direction of, the ASF security team.

Reporting Potential Vulnerabilities in Apache CloudStack

If you've found an issue that you believe is a security vulnerability in a released version of CloudStack, please report it to security@cloudstack.apache.org with details about the vulnerability, how it might be exploited, and any additional information that might be useful.

Upon notification, the ACS security team will initiate the security response procedure. If the issue is validated, the team generally takes 2-4 weeks from notification to public announcement of the vulnerability. During this time, the team will communicate with you as they proceed through the response procedure, and ask that the issue not be announced before an agreed-upon date.

The security team asks that you please do not create publicly-viewable JIRA tickets related to the issue. If validated, a JIRA ticket with the security flag set will be created for tracking the issue in a non-public manner.

Procedure for Responding to Potential Security Issues