Calendar Favorite 1 Streamline Icon: https://streamlinehq.com  Mark Your Calendars: The next VSecM Contributor Sync will be on... Thursday, 2024-05-30 at 8:00a Pacific time.
Rating Star 1 Streamline Icon: https://streamlinehq.com  Star VMware Secrets Manager to show your support. Help us reach out to even more people with this amazing tech.

Security

Secure All the Things 🛡️

This section contains how we handle security in VSecM.

Link Vulnerability Management And Remediation Policy

Ensuring the security of VMware Secrets Manager is a top priority and a continuous process that involves various proactive and reactive measures. On such measure is promptly addressing the security vulnerabilities that are found in the codebase.

All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed. This is mandatory to maintain the highest security standards for the project.

For additional context, here is how we categorize the severity of the vulnerabilities:

  • Medium Severity: A vulnerability that allows unauthorized disclosure of information or unauthorized modification of a system.
  • High Severity: A vulnerability that allows unauthorized administrative
    access to a system.

Link Target Response Times

Our target time frame is 60 days for fixing vulnerabilities of medium or higher severity. That is to say, we do our best so that our codebase does not contain any public vulnerabilities of medium or higher severity that have been known for more than 60 days.

In addition, our target initial response time for any vulnerability report received in the last 6 months is less than or equal to 14 days.

Link About Keys and Nonce Values

Cryptography plays a vital role in securing both data at rest and in transit. Ensuring that cryptographic keys and nonces are generated securely is fundamental to maintaining a robust security posture.

WMware Secrets Manager generates all cryptographic keys and nonces that it needs using secure random generators. In the event that this practice is not followed, a bug MUST be filed to address this issue immediately.

Link About Tests

High-quality software is not just about features and performance; it’s also about reliability and predictability. Automated testing is a cornerstone in achieving these goals.

Here is an informal guideline about how we approach testing in VMware Secrets Manager:

As major new functionality is added to the software produced by this project, corresponding tests MUST be added to an automated test suite.

In this context, “Major New Functionality” means features or changes that substantially alter the behavior, capabilities, or user experience of the software.

Link Report a Security Vulnerability

We take VMware Secrets Manager’s security seriously. If you believe you have found a vulnerability, please follow this guideline to responsibly disclose it.

edit this page ✏️