You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Galaxy project is strongly committed to security and responsible disclosure. We have adopted and published a set of policies specifying how we will act in response to reported security issues, in order to ensure timely updates are made available to all affected parties.
4
+
5
+
## Reporting Security Issues
6
+
7
+
If you believe you have discovered a security issue, please email [galaxy-committers@lists.galaxyproject.org](galaxy-committers@lists.galaxyproject.org). Please use `[SECURITY]` in the email title. Someone on that list will acknowledge your email within 2 US business days. We ask that you not disclose the issues on the public issue tracker. We will provide you credit for the discovery when publicly disclosing the issue.
8
+
9
+
Security issues which *only* affect a pre-release version of Galaxy (i.e. the `dev` branch in GitHub) do not need to go through this process, so you may open issues and pull requests publicly.
10
+
11
+
## Supported versions
12
+
13
+
The following branches or releases receive security support:
14
+
15
+
- Development on the `dev` branch, hosted on GitHub, which will become the next release of Galaxy
16
+
- Releases within the past 12 months.
17
+
- E.g. 16.04 will receive support until 2017-04. As the month changes to 2017-05 it will become unsupported.
18
+
- There are currently no plans for Long Term Support (LTS) releases.
19
+
20
+
For unsupported branches:
21
+
22
+
- Older versions of Galaxy may be affected by security issues.
23
+
- Security patches *may* apply
24
+
- The security team does not commit to investigating issues that pertain to unsupported releases.
25
+
- The security team does not commit to issuing patches or new releases of unsupported versions.
26
+
27
+
## Issue Severity
28
+
29
+
Galaxy takes a very conservative stance on issue severity as individual Galaxy instances often install tools and make customizations that might increase their risk in the face of otherwise less-serious vulnerabilities. As a result, issues that would be considered less-severe in other projects may be treated as higher risk here.
30
+
31
+
### Issue Classification
32
+
33
+
Severity | Examples
34
+
------------ | ---------
35
+
High | Remote code execution (RCE), SQL Injection, Cross-site scripting (XSS), and *any issue allowing user impersonation*.
36
+
Medium / Low | Unvalidated redirects/forwards, Issues due to uncommon configuration options.
37
+
38
+
These are only examples. The security team will provide a severity classification based on its impact on the average Galaxy instance. However, Galaxy administrators should take it upon themselves to evaluate the impact for their instance(s).
39
+
40
+
## Notification of Vulnerabilities
41
+
42
+
For high severity issues, we will notify [the list of public Galaxy owners](https://lists.galaxyproject.org/listinfo/galaxy-public-servers) with:
43
+
44
+
- A description of the issue
45
+
- List of supported versions that are affected
46
+
- Steps to update or patch your Galaxy
47
+
48
+
The issue will then be embargoed for three (3) days. For medium and low
49
+
severity issues, or for publicly announcing high severity issues after the
50
+
embargo, we will:
51
+
52
+
- Patch the oldest release within the 12 month support window, and merge that fix forward.
53
+
- Updates will be available on the `release_XX.YY` branches.
54
+
- Update each release branch
55
+
- Post a notice to the [galaxy-announce mailing list](https://lists.galaxyproject.org/listinfo/galaxy-announce) with:
56
+
- A description of the issue
57
+
- List of supported versions that are affected
58
+
- Steps to update or patch your Galaxy
59
+
60
+
If an issue is deemed to be time-sensitive – e.g. due to active and ongoing exploits in the wild – the embargo may be shortened considerably.
61
+
62
+
If we believe that the reported issue affects other Galaxy Project components or projects outside of the Galaxy ecosystem, we may discuss the issue with those projects and coordinate disclosure and resolution with them.
0 commit comments