Skip to content

Security: Timbus/salt

Security

SECURITY.md

SaltStack's Security Disclosure Policy

Email

GPG key ID:

  • 4EA0793D

GPG key fingerprint:

  • 8ABE 4EFC F0F4 B24B FF2A AF90 D570 F2D3 4EA0 793D

GPG Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFO15mMBEADa3CfQwk5ED9wAQ8fFDku277CegG3U1hVGdcxqKNvucblwoKCb
hRK6u9ihgaO9V9duV2glwgjytiBI/z6lyWqdaD37YXG/gTL 9Md qdSDeaOa/9eg
7y g4P FvU9HWUlujRVlofUn5Dj/IZgUywbxwEybutuzvvFVTzsn DFVwTH34Qoh
QIuNzQCSEz3Lhh8zq9LqkNy91ZZQO1ZIUrypafspH6GBHHcE8msBFgYiNBnVcUFH
u0r4j1Rav 621EtD5GZsOt05 NJI8pkaC/dDKjURcuiV6bhmeSpNzLaXUhwx6f29
Vhag5JhVGGNQxlRTxNEM86HEFp 4zJQ8m/wRDrGX5IAHsdESdhP ljDVlAAX/ttP
/Ucl2fgpTnDKVHOA00E515Q87ZHv6awJ3GL1veqi8zfsLaag7rw1TuuHyGLOPkDt
t5PAjsS9R3KI7pGnhqI6bTOi591odUdgzUhZChWUUX1VStiIDi2jCvyoOOLMOGS5
AEYXuWYP7KgujZCDRaTNqRDdgPd93Mh9JI8UmkzXDUgijdzVpzPjYgFaWtyK8lsc
Fizqe3/Yzf9RCVX/lmRbiEH ql/zSxcWlBQd17PKaL TisQFXcmQzccYgAxFbj2r
QHp5ABEu9YjFme2Jzun7Mv9V4qo3JF5dmnUk31yupZeAOGZkirIsaWC3hwARAQAB
tDBTYWx0U3RhY2sgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAc2FsdHN0YWNrLmNv
bT6JAj4EEwECACgFAlO15mMCGwMFCQeGH4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
AheAAAoJENVw8tNOoHk9z/MP/2vzY27fmVxU5X8joiiturjlgEqQw41IYEmWv1Bw
4WVXYCHP1yu/1MC1uuvOmOd5BlI8YO2C2oyW7d1B0NorguPtz55b7jabCElekVCh
h/H4ZVThiwqgPpthRv/2npXjIm7SLSs/kuaXo6Qy2JpszwDVFw xCRVL0tH9KJxz
HuNBeVq7abWD5fzIWkmGM9hicG/R2D0RIlco1Q0VNKy8klG pOFOW886KnwkSPc7
JUYp1oUlHsSlhTmkLEG54cyVzrTP/XuZuyMTdtyTc3mfgW0adneAL6MARtC5UB/h
q v9dqMf4iD3wY6ctu8KWE8Vo5MUEsNNO9EA2dUR88LwFZ3ZnnXdQkizgR/Aa515
dm17vlNkSoomYCo84eN7GOTfxWcq iXYSWcKWT4X h/ra LmNndQWQBRebVUtbKE
ZDwKmiQz/5LY5EhlWcuU4lVmMSFpWXt5FR/PtzgTdZAo9QKkBjcv97LYbXvsPI69
El1BLAg m 1UpE1L7zJT1il6PqVyEFAWBxW46wXCCkGssFsvz2yRp0PDX8A6u4yq
rTkt09uYht1is61joLDJ/kq3 6k8gJWkDOW 2NMrmf /qcdYCMYXmrtOpg/wF27W
GMNAkbdyzgeX/MbUBCGCMdzhevRuivOI5bu4vT5s3KdshG yhzV45bapKRd5VN 1
mZRqiQJVBBMBCAA/AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBIq Tvzw
9LJL/yqvkNVw8tNOoHk9BQJe1uRXBQkPoTz0AAoJENVw8tNOoHk9akAQANKIDIBY
J3DmWH3g6rWURdREQcBVfMkw6j5MHlIEwlGrN3whSaPv2KR3tatRccBCQ0olQeYb
ZeFtPuf0Du LqGaAePo5DkPNU7GHoba2 ZE/sJ4wZ4CzAQM6 LvH2iLHeLZ1VLlu
ZEftxD1RFKTqpnav8KiyYGkeFuEn4eMSIhbudp/8wkN40sCWL22D141EhVSRvLlO
BMUpTWdtSYTg0F2pgQL5U2A56syuiwUwPXzQb45JEJILmG8zkeJB9s8kGtErypIH
P qxJXq24woGUFeJjiLdiOhI6/YoVBACUkKmig36CGf/DH5NAeQECeZq3YBNp7XK
tsF1dPitxuTM/UkOHoHUnGhDlBcQMWe9WuBK4rA 7GH9NT8o7M6 2OKhk181tJ s
Y2kP7RSXOV162thRsNvVImXajAIFTR3ksEDFGVq/4jh85jFoIbNH3x27NxOu6e2p
OIkXNXmSFXLUmwbfEfIk06gqP3xzkaj eWHcLDkn9bUKblBJhHdhf9Vsy/N2NRW2
23c64qDutw1NX7msDuN3KXisim isBzPVVzymkkhkXK UpjrRR0ePvph3fnGf1bc
NipVtn1KKM7kurSrSjFVLwLi52SGnEHKJnbbhh AKV09SNYi6IaKL8yw8c1d0K80
PlBaJEvkC6myzaaRtYcna4pbiIysBaZtwDOOuQINBFO15mMBEAC5UuLii9ZLz6qH
fIJp35IOW9U8SOf7QFhzXR7NZ3DmJsd3f6Nb/habQFIHjm3K9wbpj FvaW2oWRlF
VvYdzjUq6c82GUUjW1dnqgUvFwdmM8351n0YQ2TonmyaF882RvsRZrbJ65uvy7SQ
xlouXaAYOdqwLsPxBEOyOnMPSktW5V2UIWyxsNP3sADchWIGq9p5D3Y/loyIMsS1
dj TjoQZOKSj7CuRT98 8yhGAY8YBEXu9r3I9o6mDkuPpAljuMc8r09Im6az2egt
K/szKt4Hy1bpSSBZU4W/XR7XwQNywmb3wxjmYT6Od3Mwj0jtzc3gQiH8hcEy3 BO
 NNmyzFVyIwOLziwjmEcw62S57wYKUVnHD2nglMsQa8Ve0e6ABBMEY7zGEGStva5
9rfgeh0jUMJiccGiUDTMs0tdkC6knYKbu/fdRqNYFoNuDcSeLEw4DdCuP01l2W4y
Y fiK6hAcL25amjzc yYo9eaaqTn6RATbzdhHQZdpAMxY vNT0 NhP1Zo5gYBMR6
5Zp/VhFsf67ijb03FUtdw9N8dHwiR2m8vVA8kO/gCD6wS2p9RdXqrJ9JhnHYWjiV
uXR f755ZAndyQfRtowMdQIoiXuJEXYw6XN /BX81gJaynJYc0uw0MnxWQX A5m8
HqEsbIFUXBYXPgbwXTm7c4IHGgXXdwARAQABiQI8BBgBCAAmAhsMFiEEir5O/PD0
skv/Kq Q1XDy006geT0FAl7W5K0FCQ hPUoACgkQ1XDy006geT1Q0Q//atnw1D4J
13nL8Mygk ANY4Xljub/TeZqKtzmnWGso843XysErLH1adCu1KDX1Dj4/o3WoPOt
0O78uSS81N428ocOPKx fA63n7q1mRqHHy6pLLVKoT66tmvE1ZN0ObaiPK9IxZkB
ThGlHJk9VaUg0vzAaRznogWeBh1dyZktVrtbUO5u4xDX9iql/unVmCWm U1R7t4q
fqPEbk8ZnWc7x4bAZf8/vSQ93mAbpnRRuJdDK9tsiuhl8pRz7OyzvMS81rVF75ja
7CcShPofrW4yZ7FqAUMwTbfrvsAraWmDjW17Ao7C2dUA9ViwSKJ6u6Pd5no/hwbm
jVoxtO2RvjGOBxKneD36uENAUMBExjDTkSHmOxUYSknrEKUy7P1OL2ZHLG8/rouN
5ZvIxHiMkz12ukSt29IHvCngn1UB4/7 tvDHqug4ZAZPuwH7TC5Hk6WO0OoK8Eb2
sQa2QoehQjwK0IakGd5kFEqKgbrwYPPa3my7l58nOZmPHdMcTOzgKvUEYAITjsT4
oOtocs9Nj cfCfp6YUn6JeYfiHs Xhze5igdWIl0ZO5rTmbqcD8A1URKBds0WA G
FLP9shPC0rS/L3Y1fKhqAc0h znWBU6xjipTkmzh3FdM8gGT6g9YwGQNbi/x47k5
vtBIWO4LPeGEvb2Gs65PL2eouOqU6yvBr5Y=
=F/97
-----END PGP PUBLIC KEY BLOCK-----

The SaltStack Security Team is available at [email protected] for security-related bug reports or questions.

We request the disclosure of any security-related bugs or issues be reported non-publicly until such time as the issue can be resolved and a security-fix release can be prepared. At that time we will release the fix and make a public announcement with upgrade instructions and download locations.

Security response procedure

SaltStack takes security and the trust of our customers and users very seriously. Our disclosure policy is intended to resolve security issues as quickly and safely as is possible.

  1. A security report sent to [email protected] is assigned to a team member. This person is the primary contact for questions and will coordinate the fix, release, and announcement.

  2. The reported issue is reproduced and confirmed. A list of affected projects and releases is made.

  3. Fixes are implemented for all affected projects and releases that are actively supported. Back-ports of the fix are made to any old releases that are actively supported.

  4. Packagers are notified via the salt-packagers mailing list that an issue was reported and resolved, and that an announcement is incoming.

  5. A new release is created and pushed to all affected repositories. The release documentation provides a full description of the issue, plus any upgrade instructions or other relevant details.

  6. An announcement is made to the salt-users and salt-announce mailing lists. The announcement contains a description of the issue and a link to the full release documentation and download locations.

Receiving security announcements

The fastest place to receive security announcements is via the salt-announce mailing list. This list is low-traffic.

There aren’t any published security advisories