Vulnerability Reporting

Zuul strives to be as secure as possible, implementing a layered defense-in-depth approach where any untrusted code is executed and leveraging well-reviewed popular libraries for its cryptographic needs. Still, bugs are inevitable and security bugs are no exception to that rule.

If you’ve found a bug in Zuul and you suspect it may compromise the security of some part of the system, we’d appreciate the opportunity to privately discuss the details before any suspected vulnerability is made public. There are a couple possible ways you can bring security bugs to our attention:

Create a Private Story in StoryBoard

You can create a private story at the following URL:!/story/new?force_private=true

Using this particular reporting URL helps prevent you from forgetting to set the Private checkbox in the new story UI before saving. If you’re doing this from a normal story creation workflow instead, please make sure to set this checkbox first.

Enter a short but memorable title for your vulnerability report and provide risks, concerns or other relevant details in the description field. Where it lists teams and users that can see this story, add the zuul-security team so they’ll be able to work on triaging it. For the initial task, select the project to which this is specific (e.g., zuul/zuul or zuul/nodepool) and if it relates to additional projects you can add another task for each of them making sure to include a relevant title for each task. When you’ve included all the detail and tasks you want, save the new story and then you can continue commenting on it normally. Please don’t remove the Private setting, and instead wait for one of the zuul-security reviewers to do this once it’s deemed safe.

Report via Encrypted E-mail

If the issue is extremely sensitive or you’re otherwise unable to use the task tracker directly, please send an E-mail message to one or more members of the Zuul security team. You’re encouraged to encrypt messages to their OpenPGP keys, which can be found linked below and also on the keyserver network with the following fingerprints: