This section describes which versions of Yorc are currently being supported with security updates.
| Version | Supported |
|---|---|
| 4.1.x | ✅ |
| 4.0.x | ✅ |
| 3.2.x | ❌ |
| < 3.2 | ❌ |
The Yorc team and community take all security bugs in Yorc seriously. Thank you for improving the security of Yorc. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Report security bugs by emailing the security team at ystia-security@framalistes.org and include the word "SECURITY" in the subject line..
In addition, please include the following information along with your report:
- Your name and affiliation (if any).
- A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings.
- An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex.
- Whether this vulnerability public or known to third parties. If it is, please provide details.
A project maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Once an issue is reported, Yorc team uses the following disclosure process:
- When a report is received, we confirm the issue and determine its severity and affected versions.
- If we know of specific third-party services or software based on Yorc that require mitigation before publication, those projects will be notified.
- An advisory is prepared (but not published) which details the problem and steps for mitigation.
- Wherever possible, fixes are prepared for all releases still under maintenace. We will attempt to commit these fixes as soon as possible, and as close together as possible.
- Patch releases are published for all fixed released versions and the advisory is published.
Report security bugs in third-party modules to the person or team maintaining the module.