We’re extremely grateful for security researchers and users that report vulnerabilities to the Firewall Orchestrator Community. All reports are thoroughly investigated by the Firewall Orchestrator team.
In case you discover a security issue/vulnerability, please contact security@cactus.de with all the details, attaching necessary information if possible.
Do not open an issue!
- You think you have discovered a potential security vulnerability in Firewall Orchestrator.
- You are unsure how a vulnerability affects Firewall Orchestrator.
- You need help with tuning Firewall Orchestrator components for security.
- You need help applying security related updates.
- Your issue is not security related.
Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days.
The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).
A public disclosure date is negotiated by the security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Firewall Orchestrator maintainers and the security team will take the final call on setting a disclosure date.
(Some sections have been inspired and adapted from https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md).
| Version | Supported |
|---|---|
| 1.x | ❌ |
| 2.x | ❌ |
| 3.x | ❌ |
| 4.x | ✅ (until 2022-12-31) |
| 5.x | ✅ |