Zuul strives to be as secure as possible, implementing a layered defense-in-depth approach where any untrusted code is executed and leveraging well-reviewed popular libraries for its cryptographic needs. Still, bugs are inevitable and security bugs are no exception to that rule.
If you’ve found a bug in Zuul and you suspect it may compromise the security of some part of the system, we’d appreciate the opportunity to privately discuss the details before any suspected vulnerability is made public. There are a couple possible ways you can bring security bugs to our attention:
Create a Private Story in StoryBoard¶
You can create a private story at the following URL:
Using this particular reporting URL helps prevent you from
forgetting to set the
Private checkbox in the new story UI
before saving. If you’re doing this from a normal story creation
workflow instead, please make sure to set this checkbox first.
Enter a short but memorable title for your vulnerability report and
provide risks, concerns or other relevant details in the description
field. Where it lists teams and users that can see this story, add
zuul-security team so they’ll be able to work on triaging
it. For the initial task, select the project to which this is
zuul/nodepool) and if it relates to additional
projects you can add another task for each of them making sure to
include a relevant title for each task. When you’ve included all the
detail and tasks you want, save the new story and then you can
continue commenting on it normally. Please don’t remove the
Private setting, and instead wait for one of the zuul-security
reviewers to do this once it’s deemed safe.
Report via Encrypted E-mail¶
If the issue is extremely sensitive or you’re otherwise unable to use the task tracker directly, please send an E-mail message to one or more members of the Zuul security team. You’re encouraged to encrypt messages to their OpenPGP keys, which can be found linked below and also on the keyserver network with the following fingerprints: