Browse Source

Add instructions for reporting vulnerabilities

Prominently in the Zuul User Guide, include a brief overview of
preferred methods for reporting suspected security vulnerabilities.
Also link to it from the README in such a way that the same
reference can be reused in other related Zuul repositories following
the same policy.

Change-Id: I2bd13bd13372f26c328cd7d6b5618ee8edffe490
changes/52/554352/7
Jeremy Stanley 4 years ago
parent
commit
ddd8594a3c
  1. 4
      README.rst
  2. 162
      doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
  3. 71
      doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
  4. 1
      doc/source/user/index.rst
  5. 68
      doc/source/user/vulnerabilities.rst

4
README.rst

@ -38,6 +38,10 @@ To clone the latest code, use `git clone https://git.zuul-ci.org/zuul`
Bugs are handled at: https://storyboard.openstack.org/#!/project/openstack-infra/zuul
Suspected security vulnerabilities are most appreciated if first
reported privately following any of the supported mechanisms
described at https://zuul-ci.org/docs/zuul/user/vulnerabilities.html
Code reviews are handled by gerrit at https://review.openstack.org
After creating a Gerrit account, use `git review` to submit patches.

162
doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt

@ -0,0 +1,162 @@
pub rsa4096/0x48F9961143495829 2010-06-12 [SC] [expires: 2019-03-23]
Key fingerprint = 97AE 496F C02D EC9F C353 B2E7 48F9 9611 4349 5829
uid [ultimate] Jeremy Stanley <fungi@yuggoth.org>
uid [ultimate] [jpeg image of size 2509]
uid [ultimate] Jeremy Stanley <jeremy@openstack.org>
sub rsa4096/0x17FC38FB4C6A6B3D 2010-06-12 [E] [expires: 2019-03-23]
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBEwToAQBEADkKijUR///dymLBuHX/C7VrKzqyR41QLE+yO2XoT6nP075MYuk
1850i9mN7D4lGu4fpW7kmXirvowvN9CqMN8/T/yQNJtNcFD4ff9FEdUF7DnDNPYZ
pq9iqkq2kMYm3dh2DwG0BdmsI0TAXfi1cFEizS6vxduLhCAMqon7TaNpcYhED/Id
nKpS9pLbjfAG22i7worar//RlZE63CfwJti+rG6Zjg6BLflsD35TRc57asO2NDHp
gFDUc0i5YjyPQGhYM91hqo/84pUe7A/atyTVSYHhe+SPwIGoHQorbdpaDAPhYv+g
IMZ+hOBIATFsdyCUpg+X7HXyv+jxY5Enpxc4BvfyaxIm7iywjRANhlFvdV4+pSvY
d0JhwSMxWyG5G/xzruM9B8dJtKdYHYRpn9OmNWTIM+qeZEjlpYWIazw9CPZqo4HS
FGgCrALt1RbSAfFJGF1890QArlRgkwDHIS7GPXNdZCPCCGczG72Ivs613wInUAlZ
767D4sKtY9L2XjKxndk8Rti6ceq0ENMRPy7SE1T14OkZM/eKQ/QhzjCLd4hpl/74
HA0Tp13+LBUN51ttyn/taaFx1dA8AhAln0rx8McROjY82KEC/dA8pn/GlWQs00Se
X8OzM8V943CwNEWLeOwUdUZQlmKMvoRJFZ1pmjp3M8LDUSnX+Dv68B/ekwARAQAB
tCJKZXJlbXkgU3RhbmxleSA8ZnVuZ2lAeXVnZ290aC5vcmc+iQJXBBMBCgBBAhsD
BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEEl65Jb8At7J/DU7LnSPmWEUNJ
WCkFAlq0/AEFCRCCj30ACgkQSPmWEUNJWCmYgBAAwR3YG/zGYvhNUJkvv4FqEP7P
b6M8fzx+wFTguLSAYjs31mWO0P6yFt05Wo2MCtDLi4kQzJ2Sim0FfqOTdebpVvjU
i80or0TsmrXV47YVfsq1T8BmL+TvcF/vS/MArhnX/4RNnPNyhB56sTsN7tfmBsWn
MjkUv/J5pB7Wm398EF0TvOL4DI/RgE7uzz/UB4S/ZwPdDMtZW5aJZaXcCkiHOvMh
P1jlILjYJ0iBNayCtmBPXZYEqq/sk3GGxLHvCHTBUJMPsXQjXokWjQu5xUUf5/4b
LBVzEvVB4pzg8s6SyGcrRA5sfT5BkxlRrkSl8/yhlgaRq/4FgAZu3HpceAlLSXHX
3NNbUGjMieG1FXE+aGz7QWb42oZKK3MZCd7IpNjAI+8AaNTH2q++9gBNUvkCyZNu
yuWZXe8s+PbJ9HRBcKRvvZ6A+3gmWjqW0OrEPQ5GnLyDw5Wr+TadLt4WXeg7VxcW
HaORUSTzm5aESpUrsPlIf/dUiMtbNunLaW3Na9HLRIYsS7wsHeUXv6kyHJX0nczB
B56Hbu/hE65xhM+FxG8UdCNdMZCfWr6AlbhVuNACPAaB9XXs8xQnq8zc+rjnqIE2
FBx5SW5CIZlmXdC5SY0jb9KC2eWqgRtKKikK1uab5vSV5HYY57UG1gQt8IlBacMR
DFSm9g2cAw/+rFCFg4q0IktpbnJ1aSA8a2lucnVpQGthdGFyc2lzLm11ZHB5Lm9y
Zz6JAjUEMAEIAB8FAlGJSR4YHSBVbnVuc2VkIEUtbWFpbCBBZGRyZXNzAAoJEEj5
lhFDSVgpcr8P/ilIGDNXXpAiUqbxLEImJRZ/bBrJKkW+OVaDYcyCZkOLnGFcVa++
mcHHSMS4EHe7nhRl97yKW1+rQiIrEMnEGtE58OvhDy7ic7SYFrs46k6m1Q/6Trik
Zg5+zC9p1o4yedJRP9iGmKdpPe+jWgFFA98nFScq9CdVqqfTvX8jVhr9p5ziSoHZ
zBMOuSKgDuOqMnil96SMGNEGBP29OAHCay/0BfroHxFrBlV5She6CETgymZa2die
3C4AEz0BdrIsT6pgIE4ZsP15jiPVxm2l52TDADSX0DQ+dSW5Zd8JSzdcjbWv2iTL
fKtymO8Moa4aRcGmGuzq+iy5Z7FRwO5XBwarXdDfxBnAkYTiPRvw9QdzTCZespjX
mNlLPeqAsTF5Z8k0kVK4iSjQJZNHHDly9/IBuBzMXVqQpzJS0t7B/zz2Z4hnNjL6
sLNdFY2LK/zROPcBPLV62PVDcrtn1h8qduiRdospWuDu4nyqjQELREgktu4VktXL
7MaHq16dCDuIyYOa6h/mXIOOpx7NLAILGC9zI7D3JXEWajRg6ttIRAjU05UWvl4X
28xxKHP8ajP6sWhKzGa7LwQ1qxg6fPbCTZdLZo+WJOEEIJpU+OxaDt0cBhmi0fuS
YPa3f4YhU+t5Pnw9KHx5LrrQDqLzX++hf0+7yn9Pa11KYND/S4mcP/GBtB1UaGUg
RnVuZ2kgPGZ1bmdpQHl1Z2dvdGgub3JnPokCNwQwAQgAIQUCUYlF2hodIFJlZHVu
ZGFudCBFLW1haWwgQWRkcmVzcwAKCRBI+ZYRQ0lYKd0TD/9uBJKPNvtu08FMN2td
Z4xrAm657NK/z84Ubgq8B/ouMzqdOtjI+LCnr6Dj2l5Ifh3H7kUwB+RObYwqEuFb
E1qpVkHfPIAsRnyW2fFXz8Sf4B/d6vnRGK8beFVKGFAXLKUqKLusKyzvQvGARU9b
Nv9t7MSb3JJiPTviPwH+qtUSTYqBc6di5h5aAAZOaPx4uktdfI+v/8jDJGQxPlh+
6lZ+6Vvq49SSHb/8R7tgbFfOIV2C6Z1rfR20VM8lpsbmPhbz7YH2cIOq8pQAbVEu
Yz13AgNnIR0wj4NaphODfWOms7Y7sJ3BO32Et/dKJ5pzOeSghqH+qUDvzLAxmO/7
EHmfdsHQn8iH2Usw3USTMXTM2UxdUclF6rKLiF+e9XBgrDroXKJtd+bjajuiCorw
ZWZ6UYpg1iHdDkI2vAQvGZeBuQAGq8+y72dGmsTHlA0sgLg9VEZQvtolao9mCII/
ZdxRUCtSDv3cfK3rjH8dZwz6Tw35IZYl6zlO42Z0iv6SCcRB9RwfRGW3+qZwVtzO
HjsCZ/teVWn1jVYli6aekGgKYkFpX8J2JobCsLUajat3bUwodOMl1KxunLd14sbm
04qMJlqlzxnGQDmbzscbGRowQd0lT6UzNcXuVwXUcpPt6a8MGU4PVVyDropfzWDu
YQEKMwtyQ41/NJ3/yvseWTNMKNHJIMkeARAAAQEAAAAAAAAAAAAAAAD/2P/gABBK
RklGAAEBAQBIAEgAAP/+ABtodHRwOi8vZnVuZ2kueXVnZ290aC5vcmcv/9sAQwAQ
CwwODAoQDg0OEhEQExgoGhgWFhgxIyUdKDozPTw5Mzg3QEhcTkBEV0U3OFBtUVdf
YmdoZz5NcXlwZHhcZWdj/9sAQwEREhIYFRgvGhovY0I4QmNjY2NjY2NjY2NjY2Nj
Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj/8AAEQgAkAB4AwEi
AAIRAQMRAf/EABsAAAIDAQEBAAAAAAAAAAAAAAQFAgMGAAEH/8QAMRAAAgICAQMD
AgQGAgMAAAAAAQIAAwQRIRIxQQVRYRMiBjJxgRQVI5GhsXLBNGLw/8QAGQEAAwEB
AQAAAAAAAAAAAAAAAQIDBAAF/8QAIhEAAgIDAQACAgMAAAAAAAAAAAECEQMhMRIy
QQRRIjNh/9oADAMBAAIRAxEAPwAL1O1VpCbHUxB1CqLVurDqf1HtFWbiPSessXUn
8x7wnEwCFD2Oyk+FOp5jjHwtlw22xaay7nQH+Zn2PUxPudxrlYBdSyWOzDwx3F9d
O0LOdAf5j4vKV2cVT2vINLEoeSNSrIvVONaErqtRjpiw35Eq02hq+hhVk2kg7BBn
ttz2ApvQJ5EoRkB0AdjyDJ9LqDxsHzJ0kxvJBmVSBo8yPV93Yj9ZB9g8ElvYSVeR
oBbBxHOGnp+WtafSt4HcN4jA5FIXZtTX/KI0euwaVxv+0i6kHtJPGpMVxCc/KGQ4
VPyL/mCTp0vFKKpACvTTWM+g2u1aBxtlOiJ0n6SXHqeOalVn6xoMdAzpLJ0IV6hY
qY5DdyRofvCK3WxA6nYMU52NdW3W7/UB46pdh4ty1/UNprU86HmTcF4uxQ6+1aqy
7HQEUqfqVs/jZleZa1t30+tnAPmX0aWoIfJhUfKKQQufEe+4kj7QdCNsH0BnUMx0
IRh1Cy0ccAzQogVABBPLLiNEccVsV0ehU19zsy630iuwaHA+IxBkhxI+mNwzt/4e
sYH6TACKMz0HKpUnRYfE3g7TjWHU7AMeOWSJtRfUfLHWyh+d8Rnh3C1NPyPf2jv1
/wBGVlNtK6PkCZvHY0Fh5HBHxNSmskb+yTj4f+Bjp0n4kZKtxYuvInhEMWK0EYBr
GdQbWZE6xtlOiOe86DidBKNijj1BlXEfq88ASrKyVGKGQ9xxqC59OQjB7X617Ajx
+0GIIp0TwZFQXlbClZXV9pZjyfEvQkOF3zxBqNu3xuEY4+pmgD3jyKxNF6bTrR1G
mtQfCr6KxvvCWIAmR7ND/R5vmSBEjsGe7gATBlglIPPeWqR7wiMjZWHUgiYn1/BO
LlGxR9jczcGKfXcYX4TnXIEeEvMjqtUY7Fs6WA/+MLsA6uO0W1Hpt6T4MaNoop+J
repEOornTp0cQc5rKMZ+vsRr94kyG+wAe2p699t7D6jkyDr1NzwJCMPGmNE6gFVG
u5jH0epf4h7n/KnA+TAqQXsCqI6wkWnG2e2yYmSWjRjQcfUFqHKyo+rVltdJgNuQ
bFJrrBUd2J0ILXkpcu1Xt3ERQ0U9Kx4marEaPeEK7MCQYkoAsYBT3javGtCcb7Sb
VFCVmQqclpEeq0p3OzF+WCrEOYA99FR6rF2I0Y2LJo09fqNVg+0iSvK3Y7geREWP
fSuiamQE66iNiOMf7gdHjUElQqS6jA3jozXXyDGNZ6qRBPV0+n6rcP8A2l2M+6hN
r4mZV1olOnrcmdGEK6hzOc6BJ59pdZUKWIB2INkWfTXZ7+JK/T0OtIJ9OO8op7Ls
/rNPXiA46qfbmZb0AdecT3HSP9zaVsNaMhm1KjRj+Ni6/HT6LVMv2n24MFxcOmgO
Erclho7j5q63HIkRTWvOt/rEUnwe4vYuxsRaz1AHXjcb0/k18QZjttQiv/qDrBPg
u9RwxYpcb9jrxFV2BTdWqN1L0+db3NPwTz/aQOLXva8fEKk1wFqqkLsPDqGMtCqW
XeyWHeMacUU16XsJai119/8AUk77B1A230Vy+kfPPX9fzS/4I/1KsU64Ms/EB6fV
sj/kP9QbHYkhe+u03JfwRB/Jh7H4nTwNusbM6GPBX0suPVbqLPUHJbQ7AQ0nXUfY
RdlbPMXGtjS+I1/Cw3dYT34mvU6Ex34VbWZYh8jf+ZrmYATP+R/YzRh3BF/1QFgu
RlFRpe5kHZm4WRqrAYlzsmRLKKRcLFVgCw3C68ioN32InycSprhdySvbnsZQGZrN
AkH3jJAkrH5dH2Aw3Kq8o76W3AcH09qrzbY5IPjZ5h9tStyNbgYtLjLw+xOPaUIS
p0ZdviAVqjBfifX84tA+P9CU4el2fOpH1e7+I9XyH8Byo/bieUn+nuehVQSMrdyb
DmIPK60eZ0oqfa68idAjmek/02glnvCt8Qawd50ehYR6Ewp9VqO9K4K/3mybmYGu
w1urKdFTsGbnDyUysWu5ezD+x9pH8iLtSLYHqjrX+knzBcfLrexgW/L4A3C3QWHR
HEn0VogCKBr2mdNGgo/i6iddBI+ZIZOCBvpGxLBk1pw+v7T0ZeMeQV/ecF0ep6jj
kaOl9juQfNr+t0pYGHwZerpfwFUj9J5bi0FeKkB9wJ2hCxT1qDI5N4x8W25jxWpa
e1EKAvtM/wDiz1EJSMKs/c/3P8DwIccfUqEnLyrMxsvYWPc87hCj7NQevR/XUIQ8
qJ6MjGiyluzDzOnqL0trx3nRAlhHEHtHBhZIUEkQW0fb+sSPR2DFfMd/hzKZDbUx
3X1bHwYrsqKV9R4Uf5MYfh9dizffr/6jZWnBnY/mjTK6seDLOnY4gDhqz1DtPUyx
v7uJh8mu/wBhTYiWfnM9r9Oxgd7Jg7ZwA2DuVpnffs7hSYG0NUqVOF4E9YhRzF/8
yXp13lJvtyW6V+0QeWdYdbcAG6eSBuYR+vOd7rCS7EnfzN1XSEqI78cn3mPwVH1n
BUABtcTRgdWRzK6FtR0eYVRyCO8ryqWozLAVPR1cHxoyyoFX34PmapbMyCV3r9J0
irHZ7HxOiLQzJ2eF3v3MqI6nA1vmTY70B2ngOupvaIh2W20i/GKyz8OsEays/mB3
OR1qxOtzwBuB03vXemUq9AY9veFpuLR0XUkzXdPUkEuo8iEYly31K6ngiXNWD8TH
w2dFRXpPInmhDbMcntoyNeGxPI1GsXyUVUlzwI1xscIo40J7Rjqg94SIrdnVRXkM
K8d27AKTMRg/+Q+u5aan17I+lhMg/M/Ey9BKqU10vvYYy+FaZHL1DS2vrsrb3GiP
eV3YSd1UAfHErwrLjXT9c7bqYCM7F0wIHiUeiK2Kv5c+uqohvjtOjG0Gtg9fHuJ0
70zqR//ZiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEl65J
b8At7J/DU7LnSPmWEUNJWCkFAlq0/AkFCRCCj30ACgkQSPmWEUNJWCl50A//a2S6
RDjk7/lgVHd4MZC0oWObAPecIOSajj3akdKhHJSh0gXvcZe1MMutcWKhJ25r5Opa
gs41Av46rIOlbr9/btECFChMd3Jeysb8Akyg7k2Kws4OVN8OjYAvqUyacEVhfoZ9
RS0Q8ldHGshPbMDRwRiXqjq1+Z+0RzOOhPkJLGJV7ARPIShF2TG+AUsb+ybo6ze3
LA81UMO2hEnjKoUq5IYo4noA0mjZSU9gXMZ/hU213jYTYOiYWU78DEPt8H6bhGAg
pNC480VQ3iK2+RHo3/C9UdP1YkEU6VP5Eag9hc8ZDfRnzk3uG2YAWmNz8Ij9HrXg
aZnzEAIdswDzFLOzjnVgcKuAfalFjrhMRuaim7HEQZK9psGMfklK2FuehkE8KjHT
Je28vOYqzTj4lhbwfQ5Yblgo28rCLCiVgnF4N1Kh83+RN5lNAl3LOWe6sJaLnONp
RN+ZeDsrLYv0e+lEjF8R8ByffmSzqtAXUXkfj60LXfLbzAPB6c6jYUMtqqcFGi6o
AxaG9r4f0zhVmjZOiqjrQ6D3k9yp+nou+enkhUiwBllU5TuOP+eTcgGrOykeVeKM
G2Jqa1c5xTE2atd105DWlkrJwWsILLq4i2egG7sfogzfkACBtczIi1K4JZMyZMiz
QhP3b470OBy4XoylnTaUhCcVK/Lhq7sP6TUarre0JUplcmVteSBTdGFubGV5IDxq
ZXJlbXlAb3BlbnN0YWNrLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
AQACHgECF4AWIQSXrklvwC3sn8NTsudI+ZYRQ0lYKQUCWrT8CgUJEIKPfQAKCRBI
+ZYRQ0lYKc6tD/4/44zoUTP48IgXBLTCkv8ngc66mUkti0eML70J5jzgUFm/0BZ4
2y34mi6ZG80vURIKxMRtcoMuAt9LlT68sEl8CBs5MZIgATXM3N7LF6NpXZHJncdM
CGCNmnJUVjEivO09lxB74wsx9Hp8TjGdMMl3L5bLM+vR1OA7brA01XiG4EP+50YI
xTvb9ICVrysRJ91fA7PbyzhhWchMiYlu5qXiEEsAavk6kIkmfpRwZ/QUUn73Y5Ja
zmTjIpLNij5sz8tCcB8AbTZBI5/QmhfH37Y56J0EnV9blIlBRP9XaMEsSz5vLdq5
Ubj5U0/Grm7RauKHLFscFhkridDSSi9e/CheHS8qH/ooMWMYHgxEVezsBuhJHzh8
QcIGSbhWgRxvAPfYJ7TvHRJQ9d/+tAf1Gu1NrYk8+Blb+h1yzkQqvIvWdAPy0NRO
DlQ3lo2Qk5bcGKqTstXkFeC57SAZSqZHQeNqhRU7l8QfPYIEL7bkB4r0yhjsCBk9
h2x+HOYHb0GVjN2A8OB29zH46HxCSUV18/JcDGiz15G6cKiRvoneAWmcR95lXY0M
URs6Uquvoun5YJ0iKzgVLl7ct4SxYKwYpmWCuTMPlVX2ChqlebgrKxwXtlGa0n2O
WHOAjN3A9IFYqLhVE/nhXI+TbA1uaz/hrEF5dQXC4V0aHMuGLSoSk9/HkbkCDQRM
E6AEARAAq83wcgaF39i7uHL4isOANf39rCZD6CbsR9miTuRbK9v3fwidszRSuAC6
DQ2c5hg2kYQoGX9YqNNeuWQwL6YnoDUY+QbFK1gjuB9lt8F4Neuhs1TPJ1cTbQxa
qtj6ijhpC4phX8K+qEezVPcHhaTl3Nouir22XhAH4wy5ArneK6tA+pzwo7tYAkve
DFbfLjsZtK9acJLEDnS8RWQLMBowOsJPg2xelnPgm5EliDji/LaBIVro5PbLRN83
Joj5pyjhgqH8sSeuvdRJGo/SJJUujPsA0v0o1pgwdzKt8SORpEhm1tkMBNbLWL3n
dYYqFRcZl4drN151tmSML2w2yxNxm5DPJZRwkDKdgfSv368jb0/vvDwZXtMiqBIj
bzmdDi9rOOHyH4I567uGQ4emjvWGCE0yMx9e9ADtGJjGdQvWFL/eyzuvcKUp38TI
RqleuMIV11Zoau0tXvxlBpQr6LPBs2880/32jqvzFOjA8ZdopSE9JU2ABI59QYWa
SY3rRaypIJu+DvSCmcg2BYLzIHacYkOO+LxjWnQcdeaX0fdRufQnAUQOhX7tGOUT
IsN5vG3SgcO8vAEGmh141/NylfQfctZYKGu2mHkd6Et/us/1aEEGc3JFfkWcw++P
r5DWCKYbfS6XqdcKYtuyWjCjPWSEJ3KK5LwLqnWkgdwL8CE3lS0AEQEAAYkCPAQY
AQoAJgIbDBYhBJeuSW/ALeyfw1Oy50j5lhFDSVgpBQJatPwSBQkQgo+OAAoJEEj5
lhFDSVgpOKoQAOK0hG2VBNLkiCppzdiImlcvzM+jJ1eooioOuICGIpBTO7hmJvIm
Te6igBz19sl1CMPAGhL4+HsajSDOOal71AkJOt3qO7e5lbOA8Euo64iDHW2iSw6E
lfmgsS8rneYs7cAuHcZF9f14PwJ9pS9aTqxI3gjsYPB5qNXN8lzc4a4VP/WjnNDC
O5ZsmsTAKmvo6hoTPNAXomg8CgEgK8N7hTRfCrMkieFz1wlMD38PNkhTJJ7opN/3
VxX5mAj+6OqmnhoLtO+VQI+K1cNuad8xsvl+MbOmrK+yEnp15dGevM9ws7ybngJ4
qhNXIpFl6fxcTLoalPDLZFWU935RbEIbzj6yYxfJs9nxqYOEDm8oFAwNkK2FNMeS
0RYnaat6Ml8/KPTQDg3KNKN7qRcegLofRrE4xIEWV15liASTtFlzR/ZS+kYJN/b9
vlcnOAj8SfwFVS5mg7ryHt/eC2Y3tx670o8zqWwSZ1lVomPybJdAFwwY4kWOV2pQ
nGtuamOJg9JIGbPb9LLglbXDexbdkWLpN5i++2FUoqe3mGnf+RRAu46RG5PCBZ3+
1g+7tCuwVRMT4FTPLmdORJbUQecDkyAD8BE3DuF+7hZrzQi/oiDa8mdvORy4l8fA
QtZYZzk5hURw7zRM87IzZedm0dpBseybhKvtvRltOt6pr8h/p+SsnYiL
=C5JG
-----END PGP PUBLIC KEY BLOCK-----

71
doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt

@ -0,0 +1,71 @@
pub rsa4096 2018-01-11 [SC] [expires: 2019-03-23]
FB2EE15B2F0F12662B68ED9603750DEC158E5FA2
uid [ultimate] Tobias Henkel <tobias.henkel@bmw-carit.de>
uid [ultimate] Tobias Henkel <tobias.henkel@bmw.de>
sub rsa4096 2018-01-11 [E] [expires: 2019-03-23]
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFpXBi8BEACnNMAX1sljAopBAZ/3fYVBC3R7AwwujALt4PzbysUmy1XKB2zb
ZEu8XNyBIYX0DDIBFvTyVHTjY2ztF6VVEovYOc1BdEZivvxSXuK/AWnZDASXmN0Y
TlHKiNLo+fI3j1esMIEaKb1DmJOwxSY4MxiUSZ9XRgn0tn/u5kktzjcicnhAmWL5
V1H77bHiOu1+N9AWDFslYPdI4vaRcK6Vo3ePyviLSGN6LGX7qHIPyUKGctRQlADL
vdyK3tBfexA2GqueLTWBezO9V02BkIQVbvkwrJbx5IOw4xwa+JcJgRT4voxqB4vg
ukuJEiovP/JPQ+r7Mp9o+3BzhcePbL5amNLBPYio1tXQ0m675SNplrSRc9tYMaMq
uRGXAvgEH1WrO5k1jdwkjmk84h/EPckRO2MKr1Jv6bTotrnkkb7hnXUn533G89e2
F4IM6pV0Uf8Y58iaBnWj+C80wp9B8wp8OYI4uhmB7nv0O0ZZl5sal6AMxG9jgaSd
Wb/wOTYZRgI9MDC1HKyafxBWuGuK9ZylqzNuQAfPhCUjqXfg1rAR5LKG/Fhpdhjq
9ngF8QEKN5jvFXUQzSvTvQVZnbALDPS60D/uyLyWSR61/IzhLiyLnS8AIwUCnKY9
RVVn8it4HE0o4MeoX2SWTQgu73Yn6fhMhq3pfNYpYRH/Or2UAo2LZKOQnQARAQAB
tCpUb2JpYXMgSGVua2VsIDx0b2JpYXMuaGVua2VsQGJtdy1jYXJpdC5kZT6JAlUE
EwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE+y7hWy8PEmYraO2W
A3UN7BWOX6IFAlq1BvEFCQI/NEIACgkQA3UN7BWOX6JaIA/8DkfZFwwFu8f+gXGg
Cj0x7b8g59zy5EOOrJJ1YLVfesm1s1b15Gdww1VD5imPTsD6wP4CSOpDLFkKDT6r
PqBJuIrVWZ/xZE9vkBxNgx/RmWhGXkMklRegAXxcXyse/liFypy+194frtVYM4BJ
kq08KQJftZPHoljUX02yfxtsygHl4t4E/zIMSHDjQZ4B/vcE8SXs5/zWrACpu1/l
PdP415YQ9pXlhIIMhcl5nFS+DOfVitaIBSkchqadxr1+Qkw31TeSl+dy2s7hneWN
2tG3plP1vQA1hzf5UGzMvFCaLYjnBAjKVZF5bqE+bNI2Q5o+U5fCSqFytWy7OW2M
cTmf+Flwe1zf4RkVsGHcleweeQ9IDeAGBm/t3YPn2KNIby5/u8csJFcbWsS2v8is
7EVwEVv8N1mpa2eK7joYRKDijEy3okKkYoQWOAKSkZwyqpcTVn8gbAIJPiaI96we
xErHhrQe42cnKqwVHkLzh66zpEhpgJhjGmmFOfkJUB46vMcoiiowZHsx0wPaWwte
0MHHvpmuQYC3+dlbfbGAd2V1K4WtVu2Kng1n/7rY1wGyyIShVjdFThrArkJKErkL
yG93fFXqFbqmUjqPWv8qdu3Ncn7LH55j2l3DkYYuu2kEF6zf1lJYU8A46UnNpN4B
11FZ/ruMXYGg1iC8QJB7mKhmiXG0JFRvYmlhcyBIZW5rZWwgPHRvYmlhcy5oZW5r
ZWxAYm13LmRlPokCVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AW
IQT7LuFbLw8SZito7ZYDdQ3sFY5fogUCWrUG8QUJAj80QgAKCRADdQ3sFY5fopnD
D/9pB+msaygKwuGZDX10wl5vv8mbmI0Y2nWODIJ4c8uJWAEJgZMSI/R7oYRKiHdV
hqv7yTIrX9m3OWq+PLE865dFEtWiXoHiz56leNYFWIUunmjxoW9Kcdb9fVyTRUlI
j0o9LKWqZJcihncBlOHVQVNAzeaSaoDQVN40tOInxUKwquvFws1vaKMCan2UJpsw
XrfZl/WjLTEHnT+LuSdlDL1uNn9fpR/glVE0damQcah0uUOYRwpVhiPvaThv68cU
W1Wwj/7oLt5NS62oByIYcPX5fzFGh+0A6t1PAqdjJp/QvlOjK+KT2VkpghPcVghC
zYr7s4WEAYrmvY3QCCIUPaBaoH1ydIXc6ZQp2edfSgi4o1mGOaYziWkvLvKg34S6
Yzk211kBE8VZMz98+gpHCo9tA+brChFIB6V2txrHAdhzdd/MnM1SEuB60bzxJ3rX
ZMqJNwZguOVxxlBs3hMMapEMSBpVQv2lqFjocw7g7olPMJcaHuC+edxN2krkwpvl
lM4hd2jdepA1IT3clsCvMku5UB4f1QUQx+AFxAirTQkczMdjQGi8UtScjULCyO2H
M+lQjRYWa7x5FEM8m2+CMyKnyvCS6SQq3Uw9NNJ5PsaMQOwTaedilnmI538qbImZ
oChztVVU2byPw0V+R7De7kS5O6TB4Nc/GdrYUoBmeKprwLkCDQRaVwYvARAAu6F3
lC4NVK6uxZQT8hVbnmATm5yk1BOVP1pd+HeY1yGzbOPkIhPg6dNjxSEaSRvF26yw
jhFI940b9fa/mqPBPCRyt8XkRfZHr91qf/amNxs/LSAgAdGsrpFDG6TVkGDJfPlL
6XkdLtQdBuGHiFDABH3SCx4pfYYQvNX0Z0wEYIOm4Dkj2k1ceEDK7oizkZCzHhao
mzLKkNHH9rbaq5WV0DxLjQla9JjE1HlMyL5HT/oM9Qs7PCMqqczV0D8gmCcx+uBD
j6BWTnpWRgVWVg/O3ulrAU4XaVy8eJ0hiFPBuD1SIFaby2MBlbbJwWWNQtimXc6H
zS4YSLWGN7rsU/UDKriFbaycHopD2OAJsx6xvuDV6lWMQhN/3PHMvIpNuqw2IzHA
Y+wqHwlsa+xDuVISNc9sVj9le6r7SKJ8VvbgJbrcQ4LIgBvgtqr+PHvE3ygscpUr
AKYvEHgu40X+A8Q6VP8DQ5sdTvJbLJSrJVK6uCcS8tzDrLFax/VYAez+PxsXhLKB
kv/zG9ZE1Utb+B0OQIlwsK4nIz5p8obdWsrrMSm7JEKh6NQKa4qO1VvsxgARAT6i
4CS/8NywYe8eXyN+M9BOl+f7RuzfQukd5dYas3YE+JrHg5TEueUqHxKGQv21PAb3
F/yMm7CVTvw30CAZqW0vShw79YWYdEO3lkVB050AEQEAAYkCPAQYAQgAJgIbDBYh
BPsu4VsvDxJmK2jtlgN1DewVjl+iBQJatQcNBQkCPzReAAoJEAN1DewVjl+itPIP
/RTbOYHUdZWeXcCqGiU5G/+mxlnrEPHR+B5idRZTEPClIzHGuywRai7BLDSq5t+t
GAhO4kjKuaUIo7UUOlCK9dgn9l/jl7hh6HEjUX1JAwgpWlnwIJTqAiklZhvx9BWb
GBF2mzlDYIR6FP/JBJIWMuBZxnNjMV8lEaH0675xrLHD1W8VJsybqqoqN+zLQrP4
YY/xrSQJA968LuxYpWmWbhTzYuNv6fsQSlF36ayrAjxGfJ2zQ7wwfF5Kbo6tFDyx
R7UwdVxDc0FmABPs+skbOjjAZP7IB8ZjBb6+BrDCEUXOEfjv7Xwo5RoxmPAH3a8L
LuQAKrpz3fwlXyL0vyOtNN2vhGTmR9zCap37PlFZ/zI8VdVRaLenYwcglEtoxy6A
d3kFO7ZOdk+D9zVm7inv8aKZ4ru8FLVwSDVEEP00P0a7NbyMs5PkpK29+xqAbkq+
4xhq0sW1TdB+7W13G/2nymzJ58x9pXQwSVQZLVIbnmf7rGp0Z+CrcnV+XkZOVqPQ
tQvWIshx11oB/oBkUr4109Lg+qOti+jQ1aT8KxVIFBITl1HLm9vpIy24qFLpGdIh
wIHaKIZS27Rkje/xzfl6qJ3xBsIY0Bh/z2xe8jvJ55VN2FNDxAXh8i7grV+77Xqh
Y1Ls9ADOLHGQfS+2i9J89mU+XCyxNTpbRy/d86WN5Unj
=NkrA
-----END PGP PUBLIC KEY BLOCK-----

1
doc/source/user/index.rst

@ -18,3 +18,4 @@ configure it to meet your needs.
encryption
badges
howtos
vulnerabilities

68
doc/source/user/vulnerabilities.rst

@ -0,0 +1,68 @@
:title: Vulnerability Reporting
.. _vulnerability-reporting:
Vulnerability Reporting
=======================
Zuul strives to be as secure as possible, implementing a layered
defense-in-depth approach where any untrusted code is executed and
leveraging well-reviewed popular libraries for its cryptographic
needs. Still, bugs are inevitable and security bugs are no exception
to that rule.
If you've found a bug in Zuul and you suspect it may compromise the
security of some part of the system, we'd appreciate the opportunity
to privately discuss the details before any suspected vulnerability
is made public. There are a couple possible ways you can bring
security bugs to our attention:
Create a Private Story in StoryBoard
------------------------------------
You can create a private story at the following URL:
`<https://storyboard.openstack.org/#!/story/new?force_private=true>`_
Using this particular reporting URL helps prevent you from
forgetting to set the ``Private`` checkbox in the new story UI
before saving. If you're doing this from a normal story creation
workflow instead, please make sure to set this checkbox first.
Enter a short but memorable title for your vulnerability report and
provide risks, concerns or other relevant details in the description
field. Where it lists teams and users that can see this story, add
the ``zuul-security`` team so they'll be able to work on triaging
it. For the initial task, select the project to which this is
specific (e.g., ``openstack-infra/zuul`` or
``openstack-infra/nodepool``) and if it relates to additional
projects you can add another task for each of them making sure to
include a relevant title for each task. When you've included all the
detail and tasks you want, save the new story and then you can
continue commenting on it normally. Please don't remove the
``Private`` setting, and instead wait for one of the zuul-security
reviewers to do this once it's deemed safe.
Report via Encrypted E-mail
---------------------------
If the issue is extremely sensitive or you’re otherwise unable to
use the task tracker directly, please send an E-mail message to one
or more members of the Zuul security team. You’re encouraged to
encrypt messages to their OpenPGP keys, which can be found linked
below and also on the keyserver network with the following
fingerprints:
.. TODO: add some more contacts/keys here
* Jeremy Stanley <fungi@yuggoth.org>:
`key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__)
* Tobias Henkel <tobias.henkel@bmw.de>:
`key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`_ (details__)
.. _`key 0x97ae496fc02dec9fc353b2e748f9961143495829`: ../_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0x97ae496fc02dec9fc353b2e748f9961143495829&fingerprint=on
.. _`key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`: ../_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2&fingerprint=on
Loading…
Cancel
Save