From d0728b86ece983157d1123922c1dcc1a7954b296 Mon Sep 17 00:00:00 2001 From: machine424 Date: Tue, 15 Jul 2025 20:55:13 +0200 Subject: [PATCH] chore(security.md): add more precisions regarding sec bugs reporting Signed-off-by: machine424 --- docs/operating/security.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/docs/operating/security.md b/docs/operating/security.md index 6dd1a4b5f..f27a53940 100644 --- a/docs/operating/security.md +++ b/docs/operating/security.md @@ -23,12 +23,21 @@ This page describes the general security assumptions of Prometheus and the attack vectors that some configurations may enable. As with any complex system, it is near certain that bugs will be found, some of -them security-relevant. If you find a _security bug_ please report it -privately to the maintainers listed in the MAINTAINERS of the relevant -repository and CC prometheus-team@googlegroups.com. We will fix the issue as soon -as possible and coordinate a release date with you. You will be able to choose -if you want public acknowledgement of your effort and if you want to be -mentioned by name. +them security-relevant. If you discover a _security bug_ that has not yet been +publicly disclosed, please report it privately to the maintainers listed in the +MAINTAINERS of the relevant repository and CC prometheus-team@googlegroups.com. +We will fix the issue as soon as possible and coordinate a release date with +you. You will be able to choose if you want public acknowledgement of your +effort and if you want to be mentioned by name. + +For _security bugs_ that have already been publicly disclosed and require more than +just a dependency version bump to fix, please open a +[Bug report](https://github.com/prometheus/prometheus/issues) including all relevant +details, unless one has already been filed. + +Most dependency version updates are handled automatically. However, if a _security bug_ +fix only requires updating a dependency version and our automation missed it, feel +free to submit the update directly. ## Automated security scanners