We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
The HackUCF team and community take all security bugs in image-shepherd seriously.
- You think you discovered a potential security vulnerability in image-shepherd
- You are unsure how a vulnerability affects image-shepherd
- You think you discovered a vulnerability in another project that image-shepherd depends on
- You need help tuning image-shepherd components for security
- You need help applying security related updates
- Your issue is not security related
Please report security vulnerabilities by emailing the maintainers at:
Please include the following information in your report:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a detailed response within 7 days indicating the next steps in handling your report
- We will keep you informed of the progress towards a fix and full announcement
- We may ask for additional information or guidance
- Acknowledgment: We acknowledge the vulnerability report
- Assessment: We assess the vulnerability and determine its severity
- Fix Development: We develop a fix for the vulnerability
- Testing: We test the fix to ensure it resolves the issue without introducing new problems
- Release: We release a new version with the fix
- Disclosure: We publicly disclose the vulnerability details after the fix is available
We prefer all communications to be in English.
If you have suggestions on how this process could be improved please submit a pull request.
When using image-shepherd, please follow these security best practices:
- Always use the latest version of the container image
- Run containers with non-root users when possible
- Use read-only file systems when applicable
- Regularly scan your container images for vulnerabilities
- Validate all input images before processing
- Implement proper access controls for image files
- Use secure temporary directories with appropriate permissions
- Monitor and log image processing activities
- Keep your host systems and dependencies up to date
- Use proper network segmentation
- Implement monitoring and alerting for security events
- Regular security audits and penetration testing
- Large image files may cause memory exhaustion
- Malformed image files could potentially cause crashes
- Ensure adequate disk space for image processing operations
- API endpoints should be properly authenticated
- Use HTTPS for all network communications
- Implement rate limiting to prevent abuse
We regularly monitor our dependencies for security vulnerabilities using:
- Dependabot for automated dependency updates
- Security scanning in our CI/CD pipeline
- Regular security audits of critical dependencies
Our CI/CD pipeline includes:
- Static security analysis with Trivy
- Dependency vulnerability scanning
- Container image scanning
- Infrastructure as Code security scanning
For questions about security practices or concerns not covered in this policy, please contact us at security@hackucf.org.