Airship Security Vulnerability Management

The Airship community is committed to expediently confirming, resolving, and disclosing all reported security vulnerabilities. We appreciate your cooperation and participation in our vulnerability management process outlined below.

Report a Vulnerability

If you discover a vulnerability in an Airship project, please treat the issue with a sense of confidentiality and disclose it to the airship-security mailing list:

Additionally, please include any potential fixes, as doing so can expedite the disclosure and patching processes.

The Airship Working Committee is the sole subscriber of the airship-security mailing list and monitors it for reported vulnerabilities. The committee confirms or rejects reported vulnerabilities in correspondence with the vulnerability reporter. In the event that the Airship Working Committee does not have the expertise or availability to resolve a reported vulnerability, the committee may solicit assistance from outside contributors to better facilitate the understanding and resolution of reported security vulnerabilities.

Receive Early Disclosures

We prefer to disclose confirmed security vulnerabilities as soon as possible. While circumstances may not always allow immediate disclosure, vulnerabilities may be disclosed over the airship-embargo-notice mailing list when a fix becomes available. The airship-embargo-notice mailing list notifies Airship users of confirmed vulnerabilities. If you operate Airship in a production environment, we recommend subscribing to the airship-embargo-notice mailing list by contacting the Airship Working Committee. The Airship Working Committee evaluates subscription requests on a case-by-case basis.

Receive Public Disclosures

Within ninety days of the initial vulnerability report, except in unusual circumstances, the Airship Working Committee will publicly disclose the reported vulnerability and its mitigation over the airship-announce and airship-discuss mailing lists. If a fix merges before the aforementioned ninety day period expires, the Airship Working Committee will instead disclose the vulnerability and fix twenty-one days later. We recommend subscribing to both mailing lists in order to receive security updates.