SECURITY.md

Email

• saltproject-security.pdl@broadcom.com

GPG key ID:

• 37654A06

GPG key fingerprint:

• 99EF 26F2 6469 2D24 973A 7007 E8BF 76A7 3765 4A06

GPG Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBGZpxDsBEACz8yoRBXaJiifaWz3wd4FLSO18mgH7H/+0iNTbV1ZwhgGEtWTFZ31HfrsbxVgICoMgFYt8WKnc4MHZLIgDfTuCFQpf7PV/VqRBAknZwQKEAjHfrYNzQ1vy3CeKC1qcKQISEQr7VFf58sOC8GJ54jLLc2rCsg9cXI6yvUFtGwL9Qv7g/NZnrtLjc4NZIKdIvSt+/PtooQtsz0jfLMdMpMFa41keH3MknIbydBUnGj7eC8ANN/iDRe2QHAW2KfQh3Ocuh/DpJ0/dwbzXmXfMWHk30E+s31TfdLiFt1Iz5kZDF8iHrDMqx39/GGmF10y5rfq43V1Ucxm+1tl5Km0JcX6GpPUtgRpfUYAxwxfGfezt4PjYRYH2mNxXXPLsnVTvdWPTvS0msSrcTHmnU5His38I6goXI7dLZm0saqoWi3sqEQ8TPS6/DkLtYjpb/+dql+KrXD7erd3j8KKflIXn7AEsv+luNk6czGOKgdG9agkklzOHfEPcxOGmaFfe/1mu8HxgaCuhNAQWlk79ZC+GAm0sBZIQAQRtABgag5vWr16hVix7BPMGFp8+caOVv6qfQ7gBmJ3/aso6OzyOxsluVxQRt94EjPTm0xuwb1aYNJOhEj9cPkjQXBjo3KN0rwcAViR/fdUzrIV1sn2hms0v5WZ+TDtz1w0OpLZOwe23BDE1+QARAQABtEJTYWx0IFByb2plY3QgU2VjdXJpdHkgVGVhbSA8c2FsdHByb2plY3Qtc2VjdXJpdHkucGRsQGJyb2FkY29tLmNvbT6JAlcEEwEKAEEWIQSZ7ybyZGktJJc6cAfov3anN2VKBgUCZmnEOwIbAwUJB4TOAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRDov3anN2VKBk7rD/9QdcYdNGfk96W906HlVpb3JCwT0t9T7ElP97Ot0YN6LqMjvVQpxWYi7riUSyt1FtlCAM+hmghImzILF9LKDRCZ1H5UStI/u9T53cZpUZtVW/8RbUNBCl495UcgioIZG5DsfZ/GdBOgY+hQfdgh7HC8a8A/owCt2hHbnth970NQ+LHb/0ERLfOHRxozgPBhze8Vqf939KlteM5ljgTw/IkJJIsxJi4C6pQntSHvB3/Bq/NwKf3vk3XYFtVibeQODSVvc6useo+SNGV/wsK/6kvh/vfP9Trv/GMOn/89Bj2aL1PRM382E6sDB9d22p4ehVgbcOpkwHtr9DGerK9xzfG4aUjLu9qVD5Ep3gqKSsCe+P8zbpADdVCnk+Vdp3Bi+KI7buSkqfbZ0m9vCY3ei1fMiDiTTjvNliL5QCO6PvYNYiDw+LLImrQThv55ZRQsRRT7J6A94kwDoI6zcBEalv/aPws0nQHJtgWRUpmy5RcbVu9ZQBXlUpCzCB+gGaGRE1u0hCfuvkbcG1pXFFBdSUuAK4o4ktiRALVUndELic/PU1nRjwo/+j0SGw/jTwqVChUfLDZbiAQ2JICoVpZ+e1zQfsxa/yDu2e4D543SvNFHDsxhbsBeCsopzJSA0n2HAdYvPxOPoWVvZv+U8ZV3EEVOUgsO5//cRJddCgLU89Q4DrkCDQRmacQ7ARAAsz8jnpfw3DCRxdCVGiqWAtgj8r2gx5n1wJsKsgvyGQdKUtPwlX047w13lIDT2DwoXFozquYsTn9XkIoWbVckqo0NN/V7/QxIZIYTqRcFXouHTbXDJm5CtsvfDlnTsaplyRawPU2mhYg39/lzIt8zIjvy5zo/pElkRP5m03nG+ItrsHN6CCvfZiRxme6EQdn+aoHh2GtICL8+c3HvQzTHYKxFn84Ibt3uNxwt+Mu6YhG9tkYMQQk5SkYA4CYAaw2Lc/g0ee36iqw/5d79M8YcQtHhy5zzqgdEvExjFPdowV1hhFIEkNkMuqIAknXVesqLLw2hPeYmyhYQqeBKIrWmBhBKX9c0vMYkDDH3T/sSylVhH0QAXP6EWmLja3E1ov6pt6j7j/wWzC9LSMFDJI2yWCeOE1oea5D89tH6XvsGRTiog62zF/9a77197iIa0+o91chp4iLkzDvuK8pVujPx8bNsK8jlJ+OW73NmliCVg+hecoFLNsri/TsBngFNVcu79Q1XfyvoDdR2C09ItCBEZGt6LOlq/+ATUw1aBz6L1hvLBtiR3HfuX31YlbxdvVPjlzg6O6GXSfnokNTWv2mVXWTRIrP0RrKvMyiNPXVW7EunUuXI0AxkXg3E5kAjKXkBXzoCTCVz/sXPLjvjI0x3Z7obgPpcTi9h5DIX6PFyK/kAEQEAAYkCPAQYAQoAJhYhBJnvJvJkaS0klzpwB+i/dqc3ZUoGBQJmacQ7AhsMBQkHhM4AAAoJEOi/dqc3ZUoGDeAQAKbyiHA1sl0fnvcZxoZ3mWA/Qesddp7Nv2aEW8I3hAJoTVmlZvMxk8leZgsQJtSsVDNnxeyW+WCIUkhxmd95UlkTTj5mpyci1YrxAltPJ2TWioLeF2doP8Y+4iGnaV+ApzWG33sLr95z37RKVdMuGk/O5nLMeWnSPA7HHWJCxECMm0SHuI8aby8w2aBZ1kOMFB/ToEEzLBu9fk+zCzG3uH8QhdciMENVhsyBSULIrmwKglyIVQwj2dXHyekQh7QEHV+CdKMfs3ZOANwm52OwjaK0dVb3IMFGvlUf4UXXfcXwLAkjvW+Ju4kLGxVQpOlh1EBain9WOaHZGh6EGuTpjJO32PyRq8iSMNb8coeonoPFWrE/A5dy3z5x5CZhJ6kyNwYs/9951r30Ct9qNZo9WZwp8AGQVs+J9XEYnZIWXnO1hdKsdRStPvY7VqS500t8eWqWRfCLgofZAb9Fv7SwTPQ2G7bOuTXmQKAIEkU9vzo5XACuAtR/9bC9ghNnlNuH4xiViBclrq2dif/I2ZwItpQHjuCDeMKz9kdADRI0tuNPpRHeQP1YpURW+I+PYZzNgbnwzl6Bxo7jCHFgG6BQ0ih5sVwEDhlXjSejd8CNMYEy3ElLxJLUpltwXLZSrJEXYjtJtnh0om71NXes0OyWE1cL4+U6WA9Hho6xedjk2bai=pPmt-----END PGP PUBLIC KEY BLOCK-----

The Salt Project Security Team is available atsaltproject-security.pdl@broadcom.com for security-related bug reports orquestions. Emails will be addressed within 3 business days.

We request the disclosure of any security-related bugs or issues be reportednon-publicly until such time as the issue can be resolved and a security-fixrelease can be prepared. At that time we will release the fix and make a publicannouncement with upgrade instructions and download locations.

IMPORTANT: Do not file public issues on GitHub for security vulnerabilities

Provide a descriptive subject line and in the body of the email include thefollowing information:

• Basic identity information, such as your name and your affiliation or company.
• Detailed steps to reproduce the vulnerability (POC scripts, screenshots, andlogs are all helpful to us).
• Description of the effects of the vulnerability on Salt and the relatedhardware and software configurations, so that the VMware Security Team canreproduce it.
• How the vulnerability affects Salt usage and an estimation of the attacksurface, if there is one.
• List other projects or dependencies that were used in conjunction with Salt toproduce the vulnerability.

• When you think Salt has a potential security vulnerability.
• When you suspect a potential vulnerability but you are unsure that it impactsSalt.
• When you know of or suspect a potential vulnerability on another project thatis used by Salt.

We take security and the trust of our customers and users very seriously. Ourdisclosure policy is intended to resolve security issues as quickly and safelyas is possible.

1. A security report sent tosaltproject-security.pdl@broadcom.com is assignedto a team member. This person is the primary contact for questions and willcoordinate the fix, release, and announcement.

2. The reported issue is reproduced and confirmed. A list of affected projectsand releases is made.

3. Fixes are implemented for all affected projects and releases that areactively supported. Back-ports of the fix are made to any old releases thatare actively supported.

4. A new release is created and pushed to all affected repositories. Therelease documentation provides a full description of the issue, plus anyupgrade instructions or other relevant details.

5. An announcement is made to thesalt-users andsalt-announcemailing lists. The announcement contains a description of the issue and alink to the full release documentation and download locations.

Keep an eye on theSalt Project Security Announcementslanding page. Salt Project recommends subscribing to theSalt Project Security RSS feedto receive notification when new information is available regarding securityannouncements.

Other channels to receive security announcements include theSalt Project GitHub Discussionsand theSalt Project Community Discord.

We consider vulnerabilities leading to the compromise of data confidentiality,elevation of privilege, or integrity to be our highest priority concerns.Availability, in particular in areas relating to DoS and resource exhaustion, isalso a serious security concern. The Salt Project Security Team takes allvulnerabilities, potential vulnerabilities, and suspected vulnerabilitiesseriously and will investigate them in an urgent and expeditious manner.

Note that we do not currently consider the default settings for Salt to besecure-by-default. It is necessary for operators to explicitly configuresettings, role based access control, and other resource related features inSalt to provide a hardened Salt environment. We will not act on any securitydisclosure that relates to a lack of safe defaults. Over time, we will worktowards improved safe-by-default configuration, taking into account backwardscompatibility.

Reference the following documentation to ensure Salt best practices are beingimplemented in your infrastructure:

• Docs: Hardening Salt
• Docs: Salt Best Practices
• Blog: How I Hardened My Salt Environment

There aren’t any published security advisories