Apache CloudStack: Security
Security Model
The Apache CloudStack project understands that as a core infrastructure project, the application security of Apache CloudStack is of critical importance to the community and users.
It is important to know that the project can not guarantee that it will be secure with the following usages:
- share access to the DataBase
- share database dumps or other forms of backups
- share log files
- use any of the third party integration components, that are meant for monitoring, storage, network and more.
That said, the project will work with any one on improving the secure use of the software it provides, with any 3rd party integration vendors or users of the software. This can be done on public github issues or confidentially if so desired.
Reporting Potential Vulnerabilities in Apache CloudStack
If you've found an issue that you believe is a security vulnerability in a released version of CloudStack, please report it to the ASF security team via email to security@apache.org with details about the vulnerability, how it might be exploited, and any additional information that might be useful.
Upon notification, the ASF security team will work with the CloudStack PMC through validation and fixing the issue. If the issue is validated, it generally takes 2-4 weeks from notification to public announcement of the vulnerability. During this time, the team will communicate with you as they proceed through the response procedure, and ask that the issue not be announced before an agreed-upon date.
Please do not create publicly-viewable JIRA tickets related to the issue. If validated, a JIRA ticket with the security flag set will be created for tracking the issue in a non-public manner, and made public at the appropriate time.
Procedure for Responding to Potential Security Issues
We're follow the Apache Security Team's procedures documented here.
For further information
Further information about Apache CloudStack's security practices can be found in the CloudStack Security wiki page.