Browse Source

Add instructions for reporting vulnerabilities

Prominently in the Zuul User Guide, include a brief overview of
preferred methods for reporting suspected security vulnerabilities.
Also link to it from the README in such a way that the same
reference can be reused in other related Zuul repositories following
the same policy.

Change-Id: I2bd13bd13372f26c328cd7d6b5618ee8edffe490
tags/3.4.0
Jeremy Stanley 1 year ago
parent
commit
ddd8594a3c

+ 4
- 0
README.rst View File

@@ -38,6 +38,10 @@ To clone the latest code, use `git clone https://git.zuul-ci.org/zuul`
38 38
 
39 39
 Bugs are handled at: https://storyboard.openstack.org/#!/project/openstack-infra/zuul
40 40
 
41
+Suspected security vulnerabilities are most appreciated if first
42
+reported privately following any of the supported mechanisms
43
+described at https://zuul-ci.org/docs/zuul/user/vulnerabilities.html
44
+
41 45
 Code reviews are handled by gerrit at https://review.openstack.org
42 46
 
43 47
 After creating a Gerrit account, use `git review` to submit patches.

+ 162
- 0
doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt View File

@@ -0,0 +1,162 @@
1
+pub   rsa4096/0x48F9961143495829 2010-06-12 [SC] [expires: 2019-03-23]
2
+      Key fingerprint = 97AE 496F C02D EC9F C353  B2E7 48F9 9611 4349 5829
3
+uid                   [ultimate] Jeremy Stanley <fungi@yuggoth.org>
4
+uid                   [ultimate] [jpeg image of size 2509]
5
+uid                   [ultimate] Jeremy Stanley <jeremy@openstack.org>
6
+sub   rsa4096/0x17FC38FB4C6A6B3D 2010-06-12 [E] [expires: 2019-03-23]
7
+
8
+-----BEGIN PGP PUBLIC KEY BLOCK-----
9
+
10
+mQINBEwToAQBEADkKijUR///dymLBuHX/C7VrKzqyR41QLE+yO2XoT6nP075MYuk
11
+1850i9mN7D4lGu4fpW7kmXirvowvN9CqMN8/T/yQNJtNcFD4ff9FEdUF7DnDNPYZ
12
+pq9iqkq2kMYm3dh2DwG0BdmsI0TAXfi1cFEizS6vxduLhCAMqon7TaNpcYhED/Id
13
+nKpS9pLbjfAG22i7worar//RlZE63CfwJti+rG6Zjg6BLflsD35TRc57asO2NDHp
14
+gFDUc0i5YjyPQGhYM91hqo/84pUe7A/atyTVSYHhe+SPwIGoHQorbdpaDAPhYv+g
15
+IMZ+hOBIATFsdyCUpg+X7HXyv+jxY5Enpxc4BvfyaxIm7iywjRANhlFvdV4+pSvY
16
+d0JhwSMxWyG5G/xzruM9B8dJtKdYHYRpn9OmNWTIM+qeZEjlpYWIazw9CPZqo4HS
17
+FGgCrALt1RbSAfFJGF1890QArlRgkwDHIS7GPXNdZCPCCGczG72Ivs613wInUAlZ
18
+767D4sKtY9L2XjKxndk8Rti6ceq0ENMRPy7SE1T14OkZM/eKQ/QhzjCLd4hpl/74
19
+HA0Tp13+LBUN51ttyn/taaFx1dA8AhAln0rx8McROjY82KEC/dA8pn/GlWQs00Se
20
+X8OzM8V943CwNEWLeOwUdUZQlmKMvoRJFZ1pmjp3M8LDUSnX+Dv68B/ekwARAQAB
21
+tCJKZXJlbXkgU3RhbmxleSA8ZnVuZ2lAeXVnZ290aC5vcmc+iQJXBBMBCgBBAhsD
22
+BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEEl65Jb8At7J/DU7LnSPmWEUNJ
23
+WCkFAlq0/AEFCRCCj30ACgkQSPmWEUNJWCmYgBAAwR3YG/zGYvhNUJkvv4FqEP7P
24
+b6M8fzx+wFTguLSAYjs31mWO0P6yFt05Wo2MCtDLi4kQzJ2Sim0FfqOTdebpVvjU
25
+i80or0TsmrXV47YVfsq1T8BmL+TvcF/vS/MArhnX/4RNnPNyhB56sTsN7tfmBsWn
26
+MjkUv/J5pB7Wm398EF0TvOL4DI/RgE7uzz/UB4S/ZwPdDMtZW5aJZaXcCkiHOvMh
27
+P1jlILjYJ0iBNayCtmBPXZYEqq/sk3GGxLHvCHTBUJMPsXQjXokWjQu5xUUf5/4b
28
+LBVzEvVB4pzg8s6SyGcrRA5sfT5BkxlRrkSl8/yhlgaRq/4FgAZu3HpceAlLSXHX
29
+3NNbUGjMieG1FXE+aGz7QWb42oZKK3MZCd7IpNjAI+8AaNTH2q++9gBNUvkCyZNu
30
+yuWZXe8s+PbJ9HRBcKRvvZ6A+3gmWjqW0OrEPQ5GnLyDw5Wr+TadLt4WXeg7VxcW
31
+HaORUSTzm5aESpUrsPlIf/dUiMtbNunLaW3Na9HLRIYsS7wsHeUXv6kyHJX0nczB
32
+B56Hbu/hE65xhM+FxG8UdCNdMZCfWr6AlbhVuNACPAaB9XXs8xQnq8zc+rjnqIE2
33
+FBx5SW5CIZlmXdC5SY0jb9KC2eWqgRtKKikK1uab5vSV5HYY57UG1gQt8IlBacMR
34
+DFSm9g2cAw/+rFCFg4q0IktpbnJ1aSA8a2lucnVpQGthdGFyc2lzLm11ZHB5Lm9y
35
+Zz6JAjUEMAEIAB8FAlGJSR4YHSBVbnVuc2VkIEUtbWFpbCBBZGRyZXNzAAoJEEj5
36
+lhFDSVgpcr8P/ilIGDNXXpAiUqbxLEImJRZ/bBrJKkW+OVaDYcyCZkOLnGFcVa++
37
+mcHHSMS4EHe7nhRl97yKW1+rQiIrEMnEGtE58OvhDy7ic7SYFrs46k6m1Q/6Trik
38
+Zg5+zC9p1o4yedJRP9iGmKdpPe+jWgFFA98nFScq9CdVqqfTvX8jVhr9p5ziSoHZ
39
+zBMOuSKgDuOqMnil96SMGNEGBP29OAHCay/0BfroHxFrBlV5She6CETgymZa2die
40
+3C4AEz0BdrIsT6pgIE4ZsP15jiPVxm2l52TDADSX0DQ+dSW5Zd8JSzdcjbWv2iTL
41
+fKtymO8Moa4aRcGmGuzq+iy5Z7FRwO5XBwarXdDfxBnAkYTiPRvw9QdzTCZespjX
42
+mNlLPeqAsTF5Z8k0kVK4iSjQJZNHHDly9/IBuBzMXVqQpzJS0t7B/zz2Z4hnNjL6
43
+sLNdFY2LK/zROPcBPLV62PVDcrtn1h8qduiRdospWuDu4nyqjQELREgktu4VktXL
44
+7MaHq16dCDuIyYOa6h/mXIOOpx7NLAILGC9zI7D3JXEWajRg6ttIRAjU05UWvl4X
45
+28xxKHP8ajP6sWhKzGa7LwQ1qxg6fPbCTZdLZo+WJOEEIJpU+OxaDt0cBhmi0fuS
46
+YPa3f4YhU+t5Pnw9KHx5LrrQDqLzX++hf0+7yn9Pa11KYND/S4mcP/GBtB1UaGUg
47
+RnVuZ2kgPGZ1bmdpQHl1Z2dvdGgub3JnPokCNwQwAQgAIQUCUYlF2hodIFJlZHVu
48
+ZGFudCBFLW1haWwgQWRkcmVzcwAKCRBI+ZYRQ0lYKd0TD/9uBJKPNvtu08FMN2td
49
+Z4xrAm657NK/z84Ubgq8B/ouMzqdOtjI+LCnr6Dj2l5Ifh3H7kUwB+RObYwqEuFb
50
+E1qpVkHfPIAsRnyW2fFXz8Sf4B/d6vnRGK8beFVKGFAXLKUqKLusKyzvQvGARU9b
51
+Nv9t7MSb3JJiPTviPwH+qtUSTYqBc6di5h5aAAZOaPx4uktdfI+v/8jDJGQxPlh+
52
+6lZ+6Vvq49SSHb/8R7tgbFfOIV2C6Z1rfR20VM8lpsbmPhbz7YH2cIOq8pQAbVEu
53
+Yz13AgNnIR0wj4NaphODfWOms7Y7sJ3BO32Et/dKJ5pzOeSghqH+qUDvzLAxmO/7
54
+EHmfdsHQn8iH2Usw3USTMXTM2UxdUclF6rKLiF+e9XBgrDroXKJtd+bjajuiCorw
55
+ZWZ6UYpg1iHdDkI2vAQvGZeBuQAGq8+y72dGmsTHlA0sgLg9VEZQvtolao9mCII/
56
+ZdxRUCtSDv3cfK3rjH8dZwz6Tw35IZYl6zlO42Z0iv6SCcRB9RwfRGW3+qZwVtzO
57
+HjsCZ/teVWn1jVYli6aekGgKYkFpX8J2JobCsLUajat3bUwodOMl1KxunLd14sbm
58
+04qMJlqlzxnGQDmbzscbGRowQd0lT6UzNcXuVwXUcpPt6a8MGU4PVVyDropfzWDu
59
+YQEKMwtyQ41/NJ3/yvseWTNMKNHJIMkeARAAAQEAAAAAAAAAAAAAAAD/2P/gABBK
60
+RklGAAEBAQBIAEgAAP/+ABtodHRwOi8vZnVuZ2kueXVnZ290aC5vcmcv/9sAQwAQ
61
+CwwODAoQDg0OEhEQExgoGhgWFhgxIyUdKDozPTw5Mzg3QEhcTkBEV0U3OFBtUVdf
62
+YmdoZz5NcXlwZHhcZWdj/9sAQwEREhIYFRgvGhovY0I4QmNjY2NjY2NjY2NjY2Nj
63
+Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj/8AAEQgAkAB4AwEi
64
+AAIRAQMRAf/EABsAAAIDAQEBAAAAAAAAAAAAAAQFAgMGAAEH/8QAMRAAAgICAQMD
65
+AgQGAgMAAAAAAQIAAwQRIRIxQQVRYRMiBjJxgRQVI5GhsXLBNGLw/8QAGQEAAwEB
66
+AQAAAAAAAAAAAAAAAQIDBAAF/8QAIhEAAgIDAQACAgMAAAAAAAAAAAECEQMhMRIy
67
+QQRRIjNh/9oADAMBAAIRAxEAPwAL1O1VpCbHUxB1CqLVurDqf1HtFWbiPSessXUn
68
+8x7wnEwCFD2Oyk+FOp5jjHwtlw22xaay7nQH+Zn2PUxPudxrlYBdSyWOzDwx3F9d
69
+O0LOdAf5j4vKV2cVT2vINLEoeSNSrIvVONaErqtRjpiw35Eq02hq+hhVk2kg7BBn
70
+ttz2ApvQJ5EoRkB0AdjyDJ9LqDxsHzJ0kxvJBmVSBo8yPV93Yj9ZB9g8ElvYSVeR
71
+oBbBxHOGnp+WtafSt4HcN4jA5FIXZtTX/KI0euwaVxv+0i6kHtJPGpMVxCc/KGQ4
72
+VPyL/mCTp0vFKKpACvTTWM+g2u1aBxtlOiJ0n6SXHqeOalVn6xoMdAzpLJ0IV6hY
73
+qY5DdyRofvCK3WxA6nYMU52NdW3W7/UB46pdh4ty1/UNprU86HmTcF4uxQ6+1aqy
74
+7HQEUqfqVs/jZleZa1t30+tnAPmX0aWoIfJhUfKKQQufEe+4kj7QdCNsH0BnUMx0
75
+IRh1Cy0ccAzQogVABBPLLiNEccVsV0ehU19zsy630iuwaHA+IxBkhxI+mNwzt/4e
76
+sYH6TACKMz0HKpUnRYfE3g7TjWHU7AMeOWSJtRfUfLHWyh+d8Rnh3C1NPyPf2jv1
77
+/wBGVlNtK6PkCZvHY0Fh5HBHxNSmskb+yTj4f+Bjp0n4kZKtxYuvInhEMWK0EYBr
78
+GdQbWZE6xtlOiOe86DidBKNijj1BlXEfq88ASrKyVGKGQ9xxqC59OQjB7X617Ajx
79
++0GIIp0TwZFQXlbClZXV9pZjyfEvQkOF3zxBqNu3xuEY4+pmgD3jyKxNF6bTrR1G
80
+mtQfCr6KxvvCWIAmR7ND/R5vmSBEjsGe7gATBlglIPPeWqR7wiMjZWHUgiYn1/BO
81
+LlGxR9jczcGKfXcYX4TnXIEeEvMjqtUY7Fs6WA/+MLsA6uO0W1Hpt6T4MaNoop+J
82
+repEOornTp0cQc5rKMZ+vsRr94kyG+wAe2p699t7D6jkyDr1NzwJCMPGmNE6gFVG
83
+u5jH0epf4h7n/KnA+TAqQXsCqI6wkWnG2e2yYmSWjRjQcfUFqHKyo+rVltdJgNuQ
84
+bFJrrBUd2J0ILXkpcu1Xt3ERQ0U9Kx4marEaPeEK7MCQYkoAsYBT3javGtCcb7Sb
85
+VFCVmQqclpEeq0p3OzF+WCrEOYA99FR6rF2I0Y2LJo09fqNVg+0iSvK3Y7geREWP
86
+fSuiamQE66iNiOMf7gdHjUElQqS6jA3jozXXyDGNZ6qRBPV0+n6rcP8A2l2M+6hN
87
+r4mZV1olOnrcmdGEK6hzOc6BJ59pdZUKWIB2INkWfTXZ7+JK/T0OtIJ9OO8op7Ls
88
+/rNPXiA46qfbmZb0AdecT3HSP9zaVsNaMhm1KjRj+Ni6/HT6LVMv2n24MFxcOmgO
89
+Erclho7j5q63HIkRTWvOt/rEUnwe4vYuxsRaz1AHXjcb0/k18QZjttQiv/qDrBPg
90
+u9RwxYpcb9jrxFV2BTdWqN1L0+db3NPwTz/aQOLXva8fEKk1wFqqkLsPDqGMtCqW
91
+XeyWHeMacUU16XsJai119/8AUk77B1A230Vy+kfPPX9fzS/4I/1KsU64Ms/EB6fV
92
+sj/kP9QbHYkhe+u03JfwRB/Jh7H4nTwNusbM6GPBX0suPVbqLPUHJbQ7AQ0nXUfY
93
+RdlbPMXGtjS+I1/Cw3dYT34mvU6Ex34VbWZYh8jf+ZrmYATP+R/YzRh3BF/1QFgu
94
+RlFRpe5kHZm4WRqrAYlzsmRLKKRcLFVgCw3C68ioN32InycSprhdySvbnsZQGZrN
95
+AkH3jJAkrH5dH2Aw3Kq8o76W3AcH09qrzbY5IPjZ5h9tStyNbgYtLjLw+xOPaUIS
96
+p0ZdviAVqjBfifX84tA+P9CU4el2fOpH1e7+I9XyH8Byo/bieUn+nuehVQSMrdyb
97
+DmIPK60eZ0oqfa68idAjmek/02glnvCt8Qawd50ehYR6Ewp9VqO9K4K/3mybmYGu
98
+w1urKdFTsGbnDyUysWu5ezD+x9pH8iLtSLYHqjrX+knzBcfLrexgW/L4A3C3QWHR
99
+HEn0VogCKBr2mdNGgo/i6iddBI+ZIZOCBvpGxLBk1pw+v7T0ZeMeQV/ecF0ep6jj
100
+kaOl9juQfNr+t0pYGHwZerpfwFUj9J5bi0FeKkB9wJ2hCxT1qDI5N4x8W25jxWpa
101
+e1EKAvtM/wDiz1EJSMKs/c/3P8DwIccfUqEnLyrMxsvYWPc87hCj7NQevR/XUIQ8
102
+qJ6MjGiyluzDzOnqL0trx3nRAlhHEHtHBhZIUEkQW0fb+sSPR2DFfMd/hzKZDbUx
103
+3X1bHwYrsqKV9R4Uf5MYfh9dizffr/6jZWnBnY/mjTK6seDLOnY4gDhqz1DtPUyx
104
+v7uJh8mu/wBhTYiWfnM9r9Oxgd7Jg7ZwA2DuVpnffs7hSYG0NUqVOF4E9YhRzF/8
105
+yXp13lJvtyW6V+0QeWdYdbcAG6eSBuYR+vOd7rCS7EnfzN1XSEqI78cn3mPwVH1n
106
+BUABtcTRgdWRzK6FtR0eYVRyCO8ryqWozLAVPR1cHxoyyoFX34PmapbMyCV3r9J0
107
+irHZ7HxOiLQzJ2eF3v3MqI6nA1vmTY70B2ngOupvaIh2W20i/GKyz8OsEays/mB3
108
+OR1qxOtzwBuB03vXemUq9AY9veFpuLR0XUkzXdPUkEuo8iEYly31K6ngiXNWD8TH
109
+w2dFRXpPInmhDbMcntoyNeGxPI1GsXyUVUlzwI1xscIo40J7Rjqg94SIrdnVRXkM
110
+K8d27AKTMRg/+Q+u5aan17I+lhMg/M/Ey9BKqU10vvYYy+FaZHL1DS2vrsrb3GiP
111
+eV3YSd1UAfHErwrLjXT9c7bqYCM7F0wIHiUeiK2Kv5c+uqohvjtOjG0Gtg9fHuJ0
112
+70zqR//ZiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEl65J
113
+b8At7J/DU7LnSPmWEUNJWCkFAlq0/AkFCRCCj30ACgkQSPmWEUNJWCl50A//a2S6
114
+RDjk7/lgVHd4MZC0oWObAPecIOSajj3akdKhHJSh0gXvcZe1MMutcWKhJ25r5Opa
115
+gs41Av46rIOlbr9/btECFChMd3Jeysb8Akyg7k2Kws4OVN8OjYAvqUyacEVhfoZ9
116
+RS0Q8ldHGshPbMDRwRiXqjq1+Z+0RzOOhPkJLGJV7ARPIShF2TG+AUsb+ybo6ze3
117
+LA81UMO2hEnjKoUq5IYo4noA0mjZSU9gXMZ/hU213jYTYOiYWU78DEPt8H6bhGAg
118
+pNC480VQ3iK2+RHo3/C9UdP1YkEU6VP5Eag9hc8ZDfRnzk3uG2YAWmNz8Ij9HrXg
119
+aZnzEAIdswDzFLOzjnVgcKuAfalFjrhMRuaim7HEQZK9psGMfklK2FuehkE8KjHT
120
+Je28vOYqzTj4lhbwfQ5Yblgo28rCLCiVgnF4N1Kh83+RN5lNAl3LOWe6sJaLnONp
121
+RN+ZeDsrLYv0e+lEjF8R8ByffmSzqtAXUXkfj60LXfLbzAPB6c6jYUMtqqcFGi6o
122
+AxaG9r4f0zhVmjZOiqjrQ6D3k9yp+nou+enkhUiwBllU5TuOP+eTcgGrOykeVeKM
123
+G2Jqa1c5xTE2atd105DWlkrJwWsILLq4i2egG7sfogzfkACBtczIi1K4JZMyZMiz
124
+QhP3b470OBy4XoylnTaUhCcVK/Lhq7sP6TUarre0JUplcmVteSBTdGFubGV5IDxq
125
+ZXJlbXlAb3BlbnN0YWNrLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
126
+AQACHgECF4AWIQSXrklvwC3sn8NTsudI+ZYRQ0lYKQUCWrT8CgUJEIKPfQAKCRBI
127
++ZYRQ0lYKc6tD/4/44zoUTP48IgXBLTCkv8ngc66mUkti0eML70J5jzgUFm/0BZ4
128
+2y34mi6ZG80vURIKxMRtcoMuAt9LlT68sEl8CBs5MZIgATXM3N7LF6NpXZHJncdM
129
+CGCNmnJUVjEivO09lxB74wsx9Hp8TjGdMMl3L5bLM+vR1OA7brA01XiG4EP+50YI
130
+xTvb9ICVrysRJ91fA7PbyzhhWchMiYlu5qXiEEsAavk6kIkmfpRwZ/QUUn73Y5Ja
131
+zmTjIpLNij5sz8tCcB8AbTZBI5/QmhfH37Y56J0EnV9blIlBRP9XaMEsSz5vLdq5
132
+Ubj5U0/Grm7RauKHLFscFhkridDSSi9e/CheHS8qH/ooMWMYHgxEVezsBuhJHzh8
133
+QcIGSbhWgRxvAPfYJ7TvHRJQ9d/+tAf1Gu1NrYk8+Blb+h1yzkQqvIvWdAPy0NRO
134
+DlQ3lo2Qk5bcGKqTstXkFeC57SAZSqZHQeNqhRU7l8QfPYIEL7bkB4r0yhjsCBk9
135
+h2x+HOYHb0GVjN2A8OB29zH46HxCSUV18/JcDGiz15G6cKiRvoneAWmcR95lXY0M
136
+URs6Uquvoun5YJ0iKzgVLl7ct4SxYKwYpmWCuTMPlVX2ChqlebgrKxwXtlGa0n2O
137
+WHOAjN3A9IFYqLhVE/nhXI+TbA1uaz/hrEF5dQXC4V0aHMuGLSoSk9/HkbkCDQRM
138
+E6AEARAAq83wcgaF39i7uHL4isOANf39rCZD6CbsR9miTuRbK9v3fwidszRSuAC6
139
+DQ2c5hg2kYQoGX9YqNNeuWQwL6YnoDUY+QbFK1gjuB9lt8F4Neuhs1TPJ1cTbQxa
140
+qtj6ijhpC4phX8K+qEezVPcHhaTl3Nouir22XhAH4wy5ArneK6tA+pzwo7tYAkve
141
+DFbfLjsZtK9acJLEDnS8RWQLMBowOsJPg2xelnPgm5EliDji/LaBIVro5PbLRN83
142
+Joj5pyjhgqH8sSeuvdRJGo/SJJUujPsA0v0o1pgwdzKt8SORpEhm1tkMBNbLWL3n
143
+dYYqFRcZl4drN151tmSML2w2yxNxm5DPJZRwkDKdgfSv368jb0/vvDwZXtMiqBIj
144
+bzmdDi9rOOHyH4I567uGQ4emjvWGCE0yMx9e9ADtGJjGdQvWFL/eyzuvcKUp38TI
145
+RqleuMIV11Zoau0tXvxlBpQr6LPBs2880/32jqvzFOjA8ZdopSE9JU2ABI59QYWa
146
+SY3rRaypIJu+DvSCmcg2BYLzIHacYkOO+LxjWnQcdeaX0fdRufQnAUQOhX7tGOUT
147
+IsN5vG3SgcO8vAEGmh141/NylfQfctZYKGu2mHkd6Et/us/1aEEGc3JFfkWcw++P
148
+r5DWCKYbfS6XqdcKYtuyWjCjPWSEJ3KK5LwLqnWkgdwL8CE3lS0AEQEAAYkCPAQY
149
+AQoAJgIbDBYhBJeuSW/ALeyfw1Oy50j5lhFDSVgpBQJatPwSBQkQgo+OAAoJEEj5
150
+lhFDSVgpOKoQAOK0hG2VBNLkiCppzdiImlcvzM+jJ1eooioOuICGIpBTO7hmJvIm
151
+Te6igBz19sl1CMPAGhL4+HsajSDOOal71AkJOt3qO7e5lbOA8Euo64iDHW2iSw6E
152
+lfmgsS8rneYs7cAuHcZF9f14PwJ9pS9aTqxI3gjsYPB5qNXN8lzc4a4VP/WjnNDC
153
+O5ZsmsTAKmvo6hoTPNAXomg8CgEgK8N7hTRfCrMkieFz1wlMD38PNkhTJJ7opN/3
154
+VxX5mAj+6OqmnhoLtO+VQI+K1cNuad8xsvl+MbOmrK+yEnp15dGevM9ws7ybngJ4
155
+qhNXIpFl6fxcTLoalPDLZFWU935RbEIbzj6yYxfJs9nxqYOEDm8oFAwNkK2FNMeS
156
+0RYnaat6Ml8/KPTQDg3KNKN7qRcegLofRrE4xIEWV15liASTtFlzR/ZS+kYJN/b9
157
+vlcnOAj8SfwFVS5mg7ryHt/eC2Y3tx670o8zqWwSZ1lVomPybJdAFwwY4kWOV2pQ
158
+nGtuamOJg9JIGbPb9LLglbXDexbdkWLpN5i++2FUoqe3mGnf+RRAu46RG5PCBZ3+
159
+1g+7tCuwVRMT4FTPLmdORJbUQecDkyAD8BE3DuF+7hZrzQi/oiDa8mdvORy4l8fA
160
+QtZYZzk5hURw7zRM87IzZedm0dpBseybhKvtvRltOt6pr8h/p+SsnYiL
161
+=C5JG
162
+-----END PGP PUBLIC KEY BLOCK-----

+ 71
- 0
doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt View File

@@ -0,0 +1,71 @@
1
+pub   rsa4096 2018-01-11 [SC] [expires: 2019-03-23]
2
+      FB2EE15B2F0F12662B68ED9603750DEC158E5FA2
3
+uid           [ultimate] Tobias Henkel <tobias.henkel@bmw-carit.de>
4
+uid           [ultimate] Tobias Henkel <tobias.henkel@bmw.de>
5
+sub   rsa4096 2018-01-11 [E] [expires: 2019-03-23]
6
+
7
+-----BEGIN PGP PUBLIC KEY BLOCK-----
8
+
9
+mQINBFpXBi8BEACnNMAX1sljAopBAZ/3fYVBC3R7AwwujALt4PzbysUmy1XKB2zb
10
+ZEu8XNyBIYX0DDIBFvTyVHTjY2ztF6VVEovYOc1BdEZivvxSXuK/AWnZDASXmN0Y
11
+TlHKiNLo+fI3j1esMIEaKb1DmJOwxSY4MxiUSZ9XRgn0tn/u5kktzjcicnhAmWL5
12
+V1H77bHiOu1+N9AWDFslYPdI4vaRcK6Vo3ePyviLSGN6LGX7qHIPyUKGctRQlADL
13
+vdyK3tBfexA2GqueLTWBezO9V02BkIQVbvkwrJbx5IOw4xwa+JcJgRT4voxqB4vg
14
+ukuJEiovP/JPQ+r7Mp9o+3BzhcePbL5amNLBPYio1tXQ0m675SNplrSRc9tYMaMq
15
+uRGXAvgEH1WrO5k1jdwkjmk84h/EPckRO2MKr1Jv6bTotrnkkb7hnXUn533G89e2
16
+F4IM6pV0Uf8Y58iaBnWj+C80wp9B8wp8OYI4uhmB7nv0O0ZZl5sal6AMxG9jgaSd
17
+Wb/wOTYZRgI9MDC1HKyafxBWuGuK9ZylqzNuQAfPhCUjqXfg1rAR5LKG/Fhpdhjq
18
+9ngF8QEKN5jvFXUQzSvTvQVZnbALDPS60D/uyLyWSR61/IzhLiyLnS8AIwUCnKY9
19
+RVVn8it4HE0o4MeoX2SWTQgu73Yn6fhMhq3pfNYpYRH/Or2UAo2LZKOQnQARAQAB
20
+tCpUb2JpYXMgSGVua2VsIDx0b2JpYXMuaGVua2VsQGJtdy1jYXJpdC5kZT6JAlUE
21
+EwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE+y7hWy8PEmYraO2W
22
+A3UN7BWOX6IFAlq1BvEFCQI/NEIACgkQA3UN7BWOX6JaIA/8DkfZFwwFu8f+gXGg
23
+Cj0x7b8g59zy5EOOrJJ1YLVfesm1s1b15Gdww1VD5imPTsD6wP4CSOpDLFkKDT6r
24
+PqBJuIrVWZ/xZE9vkBxNgx/RmWhGXkMklRegAXxcXyse/liFypy+194frtVYM4BJ
25
+kq08KQJftZPHoljUX02yfxtsygHl4t4E/zIMSHDjQZ4B/vcE8SXs5/zWrACpu1/l
26
+PdP415YQ9pXlhIIMhcl5nFS+DOfVitaIBSkchqadxr1+Qkw31TeSl+dy2s7hneWN
27
+2tG3plP1vQA1hzf5UGzMvFCaLYjnBAjKVZF5bqE+bNI2Q5o+U5fCSqFytWy7OW2M
28
+cTmf+Flwe1zf4RkVsGHcleweeQ9IDeAGBm/t3YPn2KNIby5/u8csJFcbWsS2v8is
29
+7EVwEVv8N1mpa2eK7joYRKDijEy3okKkYoQWOAKSkZwyqpcTVn8gbAIJPiaI96we
30
+xErHhrQe42cnKqwVHkLzh66zpEhpgJhjGmmFOfkJUB46vMcoiiowZHsx0wPaWwte
31
+0MHHvpmuQYC3+dlbfbGAd2V1K4WtVu2Kng1n/7rY1wGyyIShVjdFThrArkJKErkL
32
+yG93fFXqFbqmUjqPWv8qdu3Ncn7LH55j2l3DkYYuu2kEF6zf1lJYU8A46UnNpN4B
33
+11FZ/ruMXYGg1iC8QJB7mKhmiXG0JFRvYmlhcyBIZW5rZWwgPHRvYmlhcy5oZW5r
34
+ZWxAYm13LmRlPokCVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AW
35
+IQT7LuFbLw8SZito7ZYDdQ3sFY5fogUCWrUG8QUJAj80QgAKCRADdQ3sFY5fopnD
36
+D/9pB+msaygKwuGZDX10wl5vv8mbmI0Y2nWODIJ4c8uJWAEJgZMSI/R7oYRKiHdV
37
+hqv7yTIrX9m3OWq+PLE865dFEtWiXoHiz56leNYFWIUunmjxoW9Kcdb9fVyTRUlI
38
+j0o9LKWqZJcihncBlOHVQVNAzeaSaoDQVN40tOInxUKwquvFws1vaKMCan2UJpsw
39
+XrfZl/WjLTEHnT+LuSdlDL1uNn9fpR/glVE0damQcah0uUOYRwpVhiPvaThv68cU
40
+W1Wwj/7oLt5NS62oByIYcPX5fzFGh+0A6t1PAqdjJp/QvlOjK+KT2VkpghPcVghC
41
+zYr7s4WEAYrmvY3QCCIUPaBaoH1ydIXc6ZQp2edfSgi4o1mGOaYziWkvLvKg34S6
42
+Yzk211kBE8VZMz98+gpHCo9tA+brChFIB6V2txrHAdhzdd/MnM1SEuB60bzxJ3rX
43
+ZMqJNwZguOVxxlBs3hMMapEMSBpVQv2lqFjocw7g7olPMJcaHuC+edxN2krkwpvl
44
+lM4hd2jdepA1IT3clsCvMku5UB4f1QUQx+AFxAirTQkczMdjQGi8UtScjULCyO2H
45
+M+lQjRYWa7x5FEM8m2+CMyKnyvCS6SQq3Uw9NNJ5PsaMQOwTaedilnmI538qbImZ
46
+oChztVVU2byPw0V+R7De7kS5O6TB4Nc/GdrYUoBmeKprwLkCDQRaVwYvARAAu6F3
47
+lC4NVK6uxZQT8hVbnmATm5yk1BOVP1pd+HeY1yGzbOPkIhPg6dNjxSEaSRvF26yw
48
+jhFI940b9fa/mqPBPCRyt8XkRfZHr91qf/amNxs/LSAgAdGsrpFDG6TVkGDJfPlL
49
+6XkdLtQdBuGHiFDABH3SCx4pfYYQvNX0Z0wEYIOm4Dkj2k1ceEDK7oizkZCzHhao
50
+mzLKkNHH9rbaq5WV0DxLjQla9JjE1HlMyL5HT/oM9Qs7PCMqqczV0D8gmCcx+uBD
51
+j6BWTnpWRgVWVg/O3ulrAU4XaVy8eJ0hiFPBuD1SIFaby2MBlbbJwWWNQtimXc6H
52
+zS4YSLWGN7rsU/UDKriFbaycHopD2OAJsx6xvuDV6lWMQhN/3PHMvIpNuqw2IzHA
53
+Y+wqHwlsa+xDuVISNc9sVj9le6r7SKJ8VvbgJbrcQ4LIgBvgtqr+PHvE3ygscpUr
54
+AKYvEHgu40X+A8Q6VP8DQ5sdTvJbLJSrJVK6uCcS8tzDrLFax/VYAez+PxsXhLKB
55
+kv/zG9ZE1Utb+B0OQIlwsK4nIz5p8obdWsrrMSm7JEKh6NQKa4qO1VvsxgARAT6i
56
+4CS/8NywYe8eXyN+M9BOl+f7RuzfQukd5dYas3YE+JrHg5TEueUqHxKGQv21PAb3
57
+F/yMm7CVTvw30CAZqW0vShw79YWYdEO3lkVB050AEQEAAYkCPAQYAQgAJgIbDBYh
58
+BPsu4VsvDxJmK2jtlgN1DewVjl+iBQJatQcNBQkCPzReAAoJEAN1DewVjl+itPIP
59
+/RTbOYHUdZWeXcCqGiU5G/+mxlnrEPHR+B5idRZTEPClIzHGuywRai7BLDSq5t+t
60
+GAhO4kjKuaUIo7UUOlCK9dgn9l/jl7hh6HEjUX1JAwgpWlnwIJTqAiklZhvx9BWb
61
+GBF2mzlDYIR6FP/JBJIWMuBZxnNjMV8lEaH0675xrLHD1W8VJsybqqoqN+zLQrP4
62
+YY/xrSQJA968LuxYpWmWbhTzYuNv6fsQSlF36ayrAjxGfJ2zQ7wwfF5Kbo6tFDyx
63
+R7UwdVxDc0FmABPs+skbOjjAZP7IB8ZjBb6+BrDCEUXOEfjv7Xwo5RoxmPAH3a8L
64
+LuQAKrpz3fwlXyL0vyOtNN2vhGTmR9zCap37PlFZ/zI8VdVRaLenYwcglEtoxy6A
65
+d3kFO7ZOdk+D9zVm7inv8aKZ4ru8FLVwSDVEEP00P0a7NbyMs5PkpK29+xqAbkq+
66
+4xhq0sW1TdB+7W13G/2nymzJ58x9pXQwSVQZLVIbnmf7rGp0Z+CrcnV+XkZOVqPQ
67
+tQvWIshx11oB/oBkUr4109Lg+qOti+jQ1aT8KxVIFBITl1HLm9vpIy24qFLpGdIh
68
+wIHaKIZS27Rkje/xzfl6qJ3xBsIY0Bh/z2xe8jvJ55VN2FNDxAXh8i7grV+77Xqh
69
+Y1Ls9ADOLHGQfS+2i9J89mU+XCyxNTpbRy/d86WN5Unj
70
+=NkrA
71
+-----END PGP PUBLIC KEY BLOCK-----

+ 1
- 0
doc/source/user/index.rst View File

@@ -18,3 +18,4 @@ configure it to meet your needs.
18 18
    encryption
19 19
    badges
20 20
    howtos
21
+   vulnerabilities

+ 68
- 0
doc/source/user/vulnerabilities.rst View File

@@ -0,0 +1,68 @@
1
+:title: Vulnerability Reporting
2
+
3
+.. _vulnerability-reporting:
4
+
5
+Vulnerability Reporting
6
+=======================
7
+
8
+Zuul strives to be as secure as possible, implementing a layered
9
+defense-in-depth approach where any untrusted code is executed and
10
+leveraging well-reviewed popular libraries for its cryptographic
11
+needs. Still, bugs are inevitable and security bugs are no exception
12
+to that rule.
13
+
14
+If you've found a bug in Zuul and you suspect it may compromise the
15
+security of some part of the system, we'd appreciate the opportunity
16
+to privately discuss the details before any suspected vulnerability
17
+is made public. There are a couple possible ways you can bring
18
+security bugs to our attention:
19
+
20
+Create a Private Story in StoryBoard
21
+------------------------------------
22
+
23
+You can create a private story at the following URL:
24
+
25
+`<https://storyboard.openstack.org/#!/story/new?force_private=true>`_
26
+
27
+Using this particular reporting URL helps prevent you from
28
+forgetting to set the ``Private`` checkbox in the new story UI
29
+before saving. If you're doing this from a normal story creation
30
+workflow instead, please make sure to set this checkbox first.
31
+
32
+Enter a short but memorable title for your vulnerability report and
33
+provide risks, concerns or other relevant details in the description
34
+field. Where it lists teams and users that can see this story, add
35
+the ``zuul-security`` team so they'll be able to work on triaging
36
+it. For the initial task, select the project to which this is
37
+specific (e.g., ``openstack-infra/zuul`` or
38
+``openstack-infra/nodepool``) and if it relates to additional
39
+projects you can add another task for each of them making sure to
40
+include a relevant title for each task. When you've included all the
41
+detail and tasks you want, save the new story and then you can
42
+continue commenting on it normally. Please don't remove the
43
+``Private`` setting, and instead wait for one of the zuul-security
44
+reviewers to do this once it's deemed safe.
45
+
46
+Report via Encrypted E-mail
47
+---------------------------
48
+
49
+If the issue is extremely sensitive or you’re otherwise unable to
50
+use the task tracker directly, please send an E-mail message to one
51
+or more members of the Zuul security team. You’re encouraged to
52
+encrypt messages to their OpenPGP keys, which can be found linked
53
+below and also on the keyserver network with the following
54
+fingerprints:
55
+
56
+.. TODO: add some more contacts/keys here
57
+
58
+* Jeremy Stanley <fungi@yuggoth.org>:
59
+  `key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__)
60
+
61
+* Tobias Henkel <tobias.henkel@bmw.de>:
62
+  `key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`_ (details__)
63
+
64
+.. _`key 0x97ae496fc02dec9fc353b2e748f9961143495829`: ../_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
65
+.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0x97ae496fc02dec9fc353b2e748f9961143495829&fingerprint=on
66
+
67
+.. _`key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`: ../_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
68
+.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2&fingerprint=on

Loading…
Cancel
Save