Files
minio/VULNERABILITY_REPORT.md
T
Feng Ruohang f48dbe777d docs: refresh security docs and fork references
Update the STS, security, select, and Docker documentation to reflect the recent hardening work, including LDAP STS throttling details, OIDC JWT verification changes, and the new pgsty-specific security policy and advisory index.

Rewrite repository and raw-document links that still pointed at minio/minio so the docs consistently reference pgsty/minio instead.

The core idea is to keep the documentation aligned with the fork's actual security behavior, ownership, and upgrade guidance without mixing in unrelated code changes.
2026-04-17 15:06:42 +08:00

1.6 KiB

Vulnerability Management Policy

This document describes how the pgsty/minio maintainers investigate, assess, and remediate reported vulnerabilities affecting this fork, any directly shipped component, or a direct / indirect dependency used by this repository.

Scope

This policy covers vulnerability reports opened by repository maintainers or external third parties against pgsty/minio itself, its release artifacts, or dependencies that materially affect this fork.

It defines the information needed for triage and the expected remediation workflow for supported fixes.

Vulnerability Management Process

A useful vulnerability report should contain the following information:

  • The project / component that contains the reported vulnerability.
  • A description of the vulnerability. In particular, the type of the reported vulnerability and how it might be exploited. Alternatively, a well-established vulnerability identifier, such as a CVE or GHSA ID, can be used instead.

Based on the report, the pgsty/minio maintainers investigate:

  • Whether the reported vulnerability exists.
  • The conditions that are required such that the vulnerability can be exploited.
  • Which releases, branches, or deployment paths are affected.
  • The steps required to fix the vulnerability.

If the vulnerability exists in this fork itself, the maintainers will, when feasible, fix the issue or implement reasonable countermeasures such that the vulnerability can no longer be exploited. Fork-specific upgrade notes and security advisories are published in docs/security/advisories.md.