mirror of
https://github.com/pgsty/minio.git
synced 2026-07-15 16:30:29 +03:00
f48dbe777d
Update the STS, security, select, and Docker documentation to reflect the recent hardening work, including LDAP STS throttling details, OIDC JWT verification changes, and the new pgsty-specific security policy and advisory index. Rewrite repository and raw-document links that still pointed at minio/minio so the docs consistently reference pgsty/minio instead. The core idea is to keep the documentation aligned with the fork's actual security behavior, ownership, and upgrade guidance without mixing in unrelated code changes.
38 lines
1.6 KiB
Markdown
38 lines
1.6 KiB
Markdown
# Vulnerability Management Policy
|
|
|
|
This document describes how the `pgsty/minio` maintainers investigate,
|
|
assess, and remediate reported vulnerabilities affecting this fork, any
|
|
directly shipped component, or a direct / indirect dependency used by this
|
|
repository.
|
|
|
|
## Scope
|
|
|
|
This policy covers vulnerability reports opened by repository maintainers or
|
|
external third parties against `pgsty/minio` itself, its release artifacts, or
|
|
dependencies that materially affect this fork.
|
|
|
|
It defines the information needed for triage and the expected remediation
|
|
workflow for supported fixes.
|
|
|
|
## Vulnerability Management Process
|
|
|
|
A useful vulnerability report should contain the following information:
|
|
|
|
- The project / component that contains the reported vulnerability.
|
|
- A description of the vulnerability. In particular, the type of the
|
|
reported vulnerability and how it might be exploited. Alternatively,
|
|
a well-established vulnerability identifier, such as a CVE or GHSA ID, can
|
|
be used instead.
|
|
|
|
Based on the report, the `pgsty/minio` maintainers investigate:
|
|
|
|
- Whether the reported vulnerability exists.
|
|
- The conditions that are required such that the vulnerability can be exploited.
|
|
- Which releases, branches, or deployment paths are affected.
|
|
- The steps required to fix the vulnerability.
|
|
|
|
If the vulnerability exists in this fork itself, the maintainers will, when
|
|
feasible, fix the issue or implement reasonable countermeasures such that the
|
|
vulnerability can no longer be exploited. Fork-specific upgrade notes and
|
|
security advisories are published in `docs/security/advisories.md`.
|