SECURITY.md

# Security policy

## Supported versions
<!-- Include start supported versions -->

Incus has two types of releases:

- Feature releases
- LTS releases

For feature releases, only the latest one is supported, and we usually
don't do point releases. Instead, users are expected to wait until the
next release.

For LTS releases, we do periodic bugfix releases that include an
accumulation of bugfixes from the feature releases. Such bugfix releases
do not include new features.

<!-- Include end supported versions -->

## What qualifies as a security issue

We don't consider privileged containers to be root safe, so any exploit
allowing someone to escape them will not qualify as a security issue.
This doesn't mean that we're not interested in preventing such escapes,
but we simply do not consider such containers to be root safe.

Unprivileged container escapes are certainly something we'd consider a
security issue, especially if somehow facilitated by Incus.

## Reporting security issues

Security issues can be reported by e-mail to security@linuxcontainers.org.
Alternatively security issues can also be reported through Github at: https://github.com/lxc/incus/security/advisories/new
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00			`# Security policy`
doc: fix markdown errors for MD022 MD022 - Headers should be surrounded by blank lines https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md#md022---headers-should-be-surrounded-by-blank-lines Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-08-25 14:05:23 +02:00
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00			`## Supported versions`
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00			`<!-- Include start supported versions -->`

SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`Incus has two types of releases:`
doc: fix markdown errors for MD004-MD007 MD004 - Unordered list style MD005 - Inconsistent indentation for list items at the same level MD006 - Consider starting bulleted lists at the beginning of the line MD007 - Unordered list indentation https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-08-25 14:11:27 +02:00
SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`- Feature releases`
doc: fix markdown errors for MD004-MD007 MD004 - Unordered list style MD005 - Inconsistent indentation for list items at the same level MD006 - Consider starting bulleted lists at the beginning of the line MD007 - Unordered list indentation https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-08-25 14:11:27 +02:00			`- LTS releases`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00			`For feature releases, only the latest one is supported, and we usually`
			`don't do point releases. Instead, users are expected to wait until the`
SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`next release.`
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00
			`For LTS releases, we do periodic bugfix releases that include an`
			`accumulation of bugfixes from the feature releases. Such bugfix releases`
			`do not include new features.`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00			`<!-- Include end supported versions -->`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00			`## What qualifies as a security issue`
doc: fix markdown errors for MD022 MD022 - Headers should be surrounded by blank lines https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md#md022---headers-should-be-surrounded-by-blank-lines Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-08-25 14:05:23 +02:00
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00			`We don't consider privileged containers to be root safe, so any exploit`
doc: fix language in SECURITY.md Signed-off-by: Ruth Fuchss <ruth.fuchss@canonical.com> 2022-01-13 09:38:32 +01:00			`allowing someone to escape them will not qualify as a security issue.`
			`This doesn't mean that we're not interested in preventing such escapes,`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00			`but we simply do not consider such containers to be root safe.`

			`Unprivileged container escapes are certainly something we'd consider a`
SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`security issue, especially if somehow facilitated by Incus.`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00
SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`## Reporting security issues`
doc: Initial Github security policy Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> 2019-09-30 22:00:26 -04:00
SECURITY: Update policy Signed-off-by: Stéphane Graber <stgraber@stgraber.org> 2023-08-29 23:35:59 -04:00			`Security issues can be reported by e-mail to security@linuxcontainers.org.`
			`Alternatively security issues can also be reported through Github at: https://github.com/lxc/incus/security/advisories/new`