summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Stanley <fungi@yuggoth.org>2018-03-19 20:20:24 +0000
committerJeremy Stanley <fungi@yuggoth.org>2018-12-05 16:12:30 +0000
commitddd8594a3c0ed7129a63d216db5cfe2fb359e8ce (patch)
tree157478e88c0d8d6545d65a9df51348017e1629e4
parent65a89f441b8c84501e87a8f26e37d38e08b0e42c (diff)
Add instructions for reporting vulnerabilities
Prominently in the Zuul User Guide, include a brief overview of preferred methods for reporting suspected security vulnerabilities. Also link to it from the README in such a way that the same reference can be reused in other related Zuul repositories following the same policy. Change-Id: I2bd13bd13372f26c328cd7d6b5618ee8edffe490
Notes
Notes (review): Code-Review+2: Tobias Henkel <tobias.henkel@bmw.de> Workflow+1: Tobias Henkel <tobias.henkel@bmw.de> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 05 Dec 2018 17:25:58 +0000 Reviewed-on: https://review.openstack.org/554352 Project: openstack-infra/zuul Branch: refs/heads/master
-rw-r--r--README.rst4
-rw-r--r--doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt162
-rw-r--r--doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt71
-rw-r--r--doc/source/user/index.rst1
-rw-r--r--doc/source/user/vulnerabilities.rst68
5 files changed, 306 insertions, 0 deletions
diff --git a/README.rst b/README.rst
index fa2d5d2..56ef4db 100644
--- a/README.rst
+++ b/README.rst
@@ -38,6 +38,10 @@ To clone the latest code, use `git clone https://git.zuul-ci.org/zuul`
38 38
39Bugs are handled at: https://storyboard.openstack.org/#!/project/openstack-infra/zuul 39Bugs are handled at: https://storyboard.openstack.org/#!/project/openstack-infra/zuul
40 40
41Suspected security vulnerabilities are most appreciated if first
42reported privately following any of the supported mechanisms
43described at https://zuul-ci.org/docs/zuul/user/vulnerabilities.html
44
41Code reviews are handled by gerrit at https://review.openstack.org 45Code reviews are handled by gerrit at https://review.openstack.org
42 46
43After creating a Gerrit account, use `git review` to submit patches. 47After creating a Gerrit account, use `git review` to submit patches.
diff --git a/doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt b/doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
new file mode 100644
index 0000000..603903c
--- /dev/null
+++ b/doc/source/_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
@@ -0,0 +1,162 @@
1pub rsa4096/0x48F9961143495829 2010-06-12 [SC] [expires: 2019-03-23]
2 Key fingerprint = 97AE 496F C02D EC9F C353 B2E7 48F9 9611 4349 5829
3uid [ultimate] Jeremy Stanley <fungi@yuggoth.org>
4uid [ultimate] [jpeg image of size 2509]
5uid [ultimate] Jeremy Stanley <jeremy@openstack.org>
6sub rsa4096/0x17FC38FB4C6A6B3D 2010-06-12 [E] [expires: 2019-03-23]
7
8-----BEGIN PGP PUBLIC KEY BLOCK-----
9
10mQINBEwToAQBEADkKijUR///dymLBuHX/C7VrKzqyR41QLE+yO2XoT6nP075MYuk
111850i9mN7D4lGu4fpW7kmXirvowvN9CqMN8/T/yQNJtNcFD4ff9FEdUF7DnDNPYZ
12pq9iqkq2kMYm3dh2DwG0BdmsI0TAXfi1cFEizS6vxduLhCAMqon7TaNpcYhED/Id
13nKpS9pLbjfAG22i7worar//RlZE63CfwJti+rG6Zjg6BLflsD35TRc57asO2NDHp
14gFDUc0i5YjyPQGhYM91hqo/84pUe7A/atyTVSYHhe+SPwIGoHQorbdpaDAPhYv+g
15IMZ+hOBIATFsdyCUpg+X7HXyv+jxY5Enpxc4BvfyaxIm7iywjRANhlFvdV4+pSvY
16d0JhwSMxWyG5G/xzruM9B8dJtKdYHYRpn9OmNWTIM+qeZEjlpYWIazw9CPZqo4HS
17FGgCrALt1RbSAfFJGF1890QArlRgkwDHIS7GPXNdZCPCCGczG72Ivs613wInUAlZ
18767D4sKtY9L2XjKxndk8Rti6ceq0ENMRPy7SE1T14OkZM/eKQ/QhzjCLd4hpl/74
19HA0Tp13+LBUN51ttyn/taaFx1dA8AhAln0rx8McROjY82KEC/dA8pn/GlWQs00Se
20X8OzM8V943CwNEWLeOwUdUZQlmKMvoRJFZ1pmjp3M8LDUSnX+Dv68B/ekwARAQAB
21tCJKZXJlbXkgU3RhbmxleSA8ZnVuZ2lAeXVnZ290aC5vcmc+iQJXBBMBCgBBAhsD
22BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAhkBFiEEl65Jb8At7J/DU7LnSPmWEUNJ
23WCkFAlq0/AEFCRCCj30ACgkQSPmWEUNJWCmYgBAAwR3YG/zGYvhNUJkvv4FqEP7P
24b6M8fzx+wFTguLSAYjs31mWO0P6yFt05Wo2MCtDLi4kQzJ2Sim0FfqOTdebpVvjU
25i80or0TsmrXV47YVfsq1T8BmL+TvcF/vS/MArhnX/4RNnPNyhB56sTsN7tfmBsWn
26MjkUv/J5pB7Wm398EF0TvOL4DI/RgE7uzz/UB4S/ZwPdDMtZW5aJZaXcCkiHOvMh
27P1jlILjYJ0iBNayCtmBPXZYEqq/sk3GGxLHvCHTBUJMPsXQjXokWjQu5xUUf5/4b
28LBVzEvVB4pzg8s6SyGcrRA5sfT5BkxlRrkSl8/yhlgaRq/4FgAZu3HpceAlLSXHX
293NNbUGjMieG1FXE+aGz7QWb42oZKK3MZCd7IpNjAI+8AaNTH2q++9gBNUvkCyZNu
30yuWZXe8s+PbJ9HRBcKRvvZ6A+3gmWjqW0OrEPQ5GnLyDw5Wr+TadLt4WXeg7VxcW
31HaORUSTzm5aESpUrsPlIf/dUiMtbNunLaW3Na9HLRIYsS7wsHeUXv6kyHJX0nczB
32B56Hbu/hE65xhM+FxG8UdCNdMZCfWr6AlbhVuNACPAaB9XXs8xQnq8zc+rjnqIE2
33FBx5SW5CIZlmXdC5SY0jb9KC2eWqgRtKKikK1uab5vSV5HYY57UG1gQt8IlBacMR
34DFSm9g2cAw/+rFCFg4q0IktpbnJ1aSA8a2lucnVpQGthdGFyc2lzLm11ZHB5Lm9y
35Zz6JAjUEMAEIAB8FAlGJSR4YHSBVbnVuc2VkIEUtbWFpbCBBZGRyZXNzAAoJEEj5
36lhFDSVgpcr8P/ilIGDNXXpAiUqbxLEImJRZ/bBrJKkW+OVaDYcyCZkOLnGFcVa++
37mcHHSMS4EHe7nhRl97yKW1+rQiIrEMnEGtE58OvhDy7ic7SYFrs46k6m1Q/6Trik
38Zg5+zC9p1o4yedJRP9iGmKdpPe+jWgFFA98nFScq9CdVqqfTvX8jVhr9p5ziSoHZ
39zBMOuSKgDuOqMnil96SMGNEGBP29OAHCay/0BfroHxFrBlV5She6CETgymZa2die
403C4AEz0BdrIsT6pgIE4ZsP15jiPVxm2l52TDADSX0DQ+dSW5Zd8JSzdcjbWv2iTL
41fKtymO8Moa4aRcGmGuzq+iy5Z7FRwO5XBwarXdDfxBnAkYTiPRvw9QdzTCZespjX
42mNlLPeqAsTF5Z8k0kVK4iSjQJZNHHDly9/IBuBzMXVqQpzJS0t7B/zz2Z4hnNjL6
43sLNdFY2LK/zROPcBPLV62PVDcrtn1h8qduiRdospWuDu4nyqjQELREgktu4VktXL
447MaHq16dCDuIyYOa6h/mXIOOpx7NLAILGC9zI7D3JXEWajRg6ttIRAjU05UWvl4X
4528xxKHP8ajP6sWhKzGa7LwQ1qxg6fPbCTZdLZo+WJOEEIJpU+OxaDt0cBhmi0fuS
46YPa3f4YhU+t5Pnw9KHx5LrrQDqLzX++hf0+7yn9Pa11KYND/S4mcP/GBtB1UaGUg
47RnVuZ2kgPGZ1bmdpQHl1Z2dvdGgub3JnPokCNwQwAQgAIQUCUYlF2hodIFJlZHVu
48ZGFudCBFLW1haWwgQWRkcmVzcwAKCRBI+ZYRQ0lYKd0TD/9uBJKPNvtu08FMN2td
49Z4xrAm657NK/z84Ubgq8B/ouMzqdOtjI+LCnr6Dj2l5Ifh3H7kUwB+RObYwqEuFb
50E1qpVkHfPIAsRnyW2fFXz8Sf4B/d6vnRGK8beFVKGFAXLKUqKLusKyzvQvGARU9b
51Nv9t7MSb3JJiPTviPwH+qtUSTYqBc6di5h5aAAZOaPx4uktdfI+v/8jDJGQxPlh+
526lZ+6Vvq49SSHb/8R7tgbFfOIV2C6Z1rfR20VM8lpsbmPhbz7YH2cIOq8pQAbVEu
53Yz13AgNnIR0wj4NaphODfWOms7Y7sJ3BO32Et/dKJ5pzOeSghqH+qUDvzLAxmO/7
54EHmfdsHQn8iH2Usw3USTMXTM2UxdUclF6rKLiF+e9XBgrDroXKJtd+bjajuiCorw
55ZWZ6UYpg1iHdDkI2vAQvGZeBuQAGq8+y72dGmsTHlA0sgLg9VEZQvtolao9mCII/
56ZdxRUCtSDv3cfK3rjH8dZwz6Tw35IZYl6zlO42Z0iv6SCcRB9RwfRGW3+qZwVtzO
57HjsCZ/teVWn1jVYli6aekGgKYkFpX8J2JobCsLUajat3bUwodOMl1KxunLd14sbm
5804qMJlqlzxnGQDmbzscbGRowQd0lT6UzNcXuVwXUcpPt6a8MGU4PVVyDropfzWDu
59YQEKMwtyQ41/NJ3/yvseWTNMKNHJIMkeARAAAQEAAAAAAAAAAAAAAAD/2P/gABBK
60RklGAAEBAQBIAEgAAP/+ABtodHRwOi8vZnVuZ2kueXVnZ290aC5vcmcv/9sAQwAQ
61CwwODAoQDg0OEhEQExgoGhgWFhgxIyUdKDozPTw5Mzg3QEhcTkBEV0U3OFBtUVdf
62YmdoZz5NcXlwZHhcZWdj/9sAQwEREhIYFRgvGhovY0I4QmNjY2NjY2NjY2NjY2Nj
63Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2Nj/8AAEQgAkAB4AwEi
64AAIRAQMRAf/EABsAAAIDAQEBAAAAAAAAAAAAAAQFAgMGAAEH/8QAMRAAAgICAQMD
65AgQGAgMAAAAAAQIAAwQRIRIxQQVRYRMiBjJxgRQVI5GhsXLBNGLw/8QAGQEAAwEB
66AQAAAAAAAAAAAAAAAQIDBAAF/8QAIhEAAgIDAQACAgMAAAAAAAAAAAECEQMhMRIy
67QQRRIjNh/9oADAMBAAIRAxEAPwAL1O1VpCbHUxB1CqLVurDqf1HtFWbiPSessXUn
688x7wnEwCFD2Oyk+FOp5jjHwtlw22xaay7nQH+Zn2PUxPudxrlYBdSyWOzDwx3F9d
69O0LOdAf5j4vKV2cVT2vINLEoeSNSrIvVONaErqtRjpiw35Eq02hq+hhVk2kg7BBn
70ttz2ApvQJ5EoRkB0AdjyDJ9LqDxsHzJ0kxvJBmVSBo8yPV93Yj9ZB9g8ElvYSVeR
71oBbBxHOGnp+WtafSt4HcN4jA5FIXZtTX/KI0euwaVxv+0i6kHtJPGpMVxCc/KGQ4
72VPyL/mCTp0vFKKpACvTTWM+g2u1aBxtlOiJ0n6SXHqeOalVn6xoMdAzpLJ0IV6hY
73qY5DdyRofvCK3WxA6nYMU52NdW3W7/UB46pdh4ty1/UNprU86HmTcF4uxQ6+1aqy
747HQEUqfqVs/jZleZa1t30+tnAPmX0aWoIfJhUfKKQQufEe+4kj7QdCNsH0BnUMx0
75IRh1Cy0ccAzQogVABBPLLiNEccVsV0ehU19zsy630iuwaHA+IxBkhxI+mNwzt/4e
76sYH6TACKMz0HKpUnRYfE3g7TjWHU7AMeOWSJtRfUfLHWyh+d8Rnh3C1NPyPf2jv1
77/wBGVlNtK6PkCZvHY0Fh5HBHxNSmskb+yTj4f+Bjp0n4kZKtxYuvInhEMWK0EYBr
78GdQbWZE6xtlOiOe86DidBKNijj1BlXEfq88ASrKyVGKGQ9xxqC59OQjB7X617Ajx
79+0GIIp0TwZFQXlbClZXV9pZjyfEvQkOF3zxBqNu3xuEY4+pmgD3jyKxNF6bTrR1G
80mtQfCr6KxvvCWIAmR7ND/R5vmSBEjsGe7gATBlglIPPeWqR7wiMjZWHUgiYn1/BO
81LlGxR9jczcGKfXcYX4TnXIEeEvMjqtUY7Fs6WA/+MLsA6uO0W1Hpt6T4MaNoop+J
82repEOornTp0cQc5rKMZ+vsRr94kyG+wAe2p699t7D6jkyDr1NzwJCMPGmNE6gFVG
83u5jH0epf4h7n/KnA+TAqQXsCqI6wkWnG2e2yYmSWjRjQcfUFqHKyo+rVltdJgNuQ
84bFJrrBUd2J0ILXkpcu1Xt3ERQ0U9Kx4marEaPeEK7MCQYkoAsYBT3javGtCcb7Sb
85VFCVmQqclpEeq0p3OzF+WCrEOYA99FR6rF2I0Y2LJo09fqNVg+0iSvK3Y7geREWP
86fSuiamQE66iNiOMf7gdHjUElQqS6jA3jozXXyDGNZ6qRBPV0+n6rcP8A2l2M+6hN
87r4mZV1olOnrcmdGEK6hzOc6BJ59pdZUKWIB2INkWfTXZ7+JK/T0OtIJ9OO8op7Ls
88/rNPXiA46qfbmZb0AdecT3HSP9zaVsNaMhm1KjRj+Ni6/HT6LVMv2n24MFxcOmgO
89Erclho7j5q63HIkRTWvOt/rEUnwe4vYuxsRaz1AHXjcb0/k18QZjttQiv/qDrBPg
90u9RwxYpcb9jrxFV2BTdWqN1L0+db3NPwTz/aQOLXva8fEKk1wFqqkLsPDqGMtCqW
91XeyWHeMacUU16XsJai119/8AUk77B1A230Vy+kfPPX9fzS/4I/1KsU64Ms/EB6fV
92sj/kP9QbHYkhe+u03JfwRB/Jh7H4nTwNusbM6GPBX0suPVbqLPUHJbQ7AQ0nXUfY
93RdlbPMXGtjS+I1/Cw3dYT34mvU6Ex34VbWZYh8jf+ZrmYATP+R/YzRh3BF/1QFgu
94RlFRpe5kHZm4WRqrAYlzsmRLKKRcLFVgCw3C68ioN32InycSprhdySvbnsZQGZrN
95AkH3jJAkrH5dH2Aw3Kq8o76W3AcH09qrzbY5IPjZ5h9tStyNbgYtLjLw+xOPaUIS
96p0ZdviAVqjBfifX84tA+P9CU4el2fOpH1e7+I9XyH8Byo/bieUn+nuehVQSMrdyb
97DmIPK60eZ0oqfa68idAjmek/02glnvCt8Qawd50ehYR6Ewp9VqO9K4K/3mybmYGu
98w1urKdFTsGbnDyUysWu5ezD+x9pH8iLtSLYHqjrX+knzBcfLrexgW/L4A3C3QWHR
99HEn0VogCKBr2mdNGgo/i6iddBI+ZIZOCBvpGxLBk1pw+v7T0ZeMeQV/ecF0ep6jj
100kaOl9juQfNr+t0pYGHwZerpfwFUj9J5bi0FeKkB9wJ2hCxT1qDI5N4x8W25jxWpa
101e1EKAvtM/wDiz1EJSMKs/c/3P8DwIccfUqEnLyrMxsvYWPc87hCj7NQevR/XUIQ8
102qJ6MjGiyluzDzOnqL0trx3nRAlhHEHtHBhZIUEkQW0fb+sSPR2DFfMd/hzKZDbUx
1033X1bHwYrsqKV9R4Uf5MYfh9dizffr/6jZWnBnY/mjTK6seDLOnY4gDhqz1DtPUyx
104v7uJh8mu/wBhTYiWfnM9r9Oxgd7Jg7ZwA2DuVpnffs7hSYG0NUqVOF4E9YhRzF/8
105yXp13lJvtyW6V+0QeWdYdbcAG6eSBuYR+vOd7rCS7EnfzN1XSEqI78cn3mPwVH1n
106BUABtcTRgdWRzK6FtR0eYVRyCO8ryqWozLAVPR1cHxoyyoFX34PmapbMyCV3r9J0
107irHZ7HxOiLQzJ2eF3v3MqI6nA1vmTY70B2ngOupvaIh2W20i/GKyz8OsEays/mB3
108OR1qxOtzwBuB03vXemUq9AY9veFpuLR0XUkzXdPUkEuo8iEYly31K6ngiXNWD8TH
109w2dFRXpPInmhDbMcntoyNeGxPI1GsXyUVUlzwI1xscIo40J7Rjqg94SIrdnVRXkM
110K8d27AKTMRg/+Q+u5aan17I+lhMg/M/Ey9BKqU10vvYYy+FaZHL1DS2vrsrb3GiP
111eV3YSd1UAfHErwrLjXT9c7bqYCM7F0wIHiUeiK2Kv5c+uqohvjtOjG0Gtg9fHuJ0
11270zqR//ZiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEl65J
113b8At7J/DU7LnSPmWEUNJWCkFAlq0/AkFCRCCj30ACgkQSPmWEUNJWCl50A//a2S6
114RDjk7/lgVHd4MZC0oWObAPecIOSajj3akdKhHJSh0gXvcZe1MMutcWKhJ25r5Opa
115gs41Av46rIOlbr9/btECFChMd3Jeysb8Akyg7k2Kws4OVN8OjYAvqUyacEVhfoZ9
116RS0Q8ldHGshPbMDRwRiXqjq1+Z+0RzOOhPkJLGJV7ARPIShF2TG+AUsb+ybo6ze3
117LA81UMO2hEnjKoUq5IYo4noA0mjZSU9gXMZ/hU213jYTYOiYWU78DEPt8H6bhGAg
118pNC480VQ3iK2+RHo3/C9UdP1YkEU6VP5Eag9hc8ZDfRnzk3uG2YAWmNz8Ij9HrXg
119aZnzEAIdswDzFLOzjnVgcKuAfalFjrhMRuaim7HEQZK9psGMfklK2FuehkE8KjHT
120Je28vOYqzTj4lhbwfQ5Yblgo28rCLCiVgnF4N1Kh83+RN5lNAl3LOWe6sJaLnONp
121RN+ZeDsrLYv0e+lEjF8R8ByffmSzqtAXUXkfj60LXfLbzAPB6c6jYUMtqqcFGi6o
122AxaG9r4f0zhVmjZOiqjrQ6D3k9yp+nou+enkhUiwBllU5TuOP+eTcgGrOykeVeKM
123G2Jqa1c5xTE2atd105DWlkrJwWsILLq4i2egG7sfogzfkACBtczIi1K4JZMyZMiz
124QhP3b470OBy4XoylnTaUhCcVK/Lhq7sP6TUarre0JUplcmVteSBTdGFubGV5IDxq
125ZXJlbXlAb3BlbnN0YWNrLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID
126AQACHgECF4AWIQSXrklvwC3sn8NTsudI+ZYRQ0lYKQUCWrT8CgUJEIKPfQAKCRBI
127+ZYRQ0lYKc6tD/4/44zoUTP48IgXBLTCkv8ngc66mUkti0eML70J5jzgUFm/0BZ4
1282y34mi6ZG80vURIKxMRtcoMuAt9LlT68sEl8CBs5MZIgATXM3N7LF6NpXZHJncdM
129CGCNmnJUVjEivO09lxB74wsx9Hp8TjGdMMl3L5bLM+vR1OA7brA01XiG4EP+50YI
130xTvb9ICVrysRJ91fA7PbyzhhWchMiYlu5qXiEEsAavk6kIkmfpRwZ/QUUn73Y5Ja
131zmTjIpLNij5sz8tCcB8AbTZBI5/QmhfH37Y56J0EnV9blIlBRP9XaMEsSz5vLdq5
132Ubj5U0/Grm7RauKHLFscFhkridDSSi9e/CheHS8qH/ooMWMYHgxEVezsBuhJHzh8
133QcIGSbhWgRxvAPfYJ7TvHRJQ9d/+tAf1Gu1NrYk8+Blb+h1yzkQqvIvWdAPy0NRO
134DlQ3lo2Qk5bcGKqTstXkFeC57SAZSqZHQeNqhRU7l8QfPYIEL7bkB4r0yhjsCBk9
135h2x+HOYHb0GVjN2A8OB29zH46HxCSUV18/JcDGiz15G6cKiRvoneAWmcR95lXY0M
136URs6Uquvoun5YJ0iKzgVLl7ct4SxYKwYpmWCuTMPlVX2ChqlebgrKxwXtlGa0n2O
137WHOAjN3A9IFYqLhVE/nhXI+TbA1uaz/hrEF5dQXC4V0aHMuGLSoSk9/HkbkCDQRM
138E6AEARAAq83wcgaF39i7uHL4isOANf39rCZD6CbsR9miTuRbK9v3fwidszRSuAC6
139DQ2c5hg2kYQoGX9YqNNeuWQwL6YnoDUY+QbFK1gjuB9lt8F4Neuhs1TPJ1cTbQxa
140qtj6ijhpC4phX8K+qEezVPcHhaTl3Nouir22XhAH4wy5ArneK6tA+pzwo7tYAkve
141DFbfLjsZtK9acJLEDnS8RWQLMBowOsJPg2xelnPgm5EliDji/LaBIVro5PbLRN83
142Joj5pyjhgqH8sSeuvdRJGo/SJJUujPsA0v0o1pgwdzKt8SORpEhm1tkMBNbLWL3n
143dYYqFRcZl4drN151tmSML2w2yxNxm5DPJZRwkDKdgfSv368jb0/vvDwZXtMiqBIj
144bzmdDi9rOOHyH4I567uGQ4emjvWGCE0yMx9e9ADtGJjGdQvWFL/eyzuvcKUp38TI
145RqleuMIV11Zoau0tXvxlBpQr6LPBs2880/32jqvzFOjA8ZdopSE9JU2ABI59QYWa
146SY3rRaypIJu+DvSCmcg2BYLzIHacYkOO+LxjWnQcdeaX0fdRufQnAUQOhX7tGOUT
147IsN5vG3SgcO8vAEGmh141/NylfQfctZYKGu2mHkd6Et/us/1aEEGc3JFfkWcw++P
148r5DWCKYbfS6XqdcKYtuyWjCjPWSEJ3KK5LwLqnWkgdwL8CE3lS0AEQEAAYkCPAQY
149AQoAJgIbDBYhBJeuSW/ALeyfw1Oy50j5lhFDSVgpBQJatPwSBQkQgo+OAAoJEEj5
150lhFDSVgpOKoQAOK0hG2VBNLkiCppzdiImlcvzM+jJ1eooioOuICGIpBTO7hmJvIm
151Te6igBz19sl1CMPAGhL4+HsajSDOOal71AkJOt3qO7e5lbOA8Euo64iDHW2iSw6E
152lfmgsS8rneYs7cAuHcZF9f14PwJ9pS9aTqxI3gjsYPB5qNXN8lzc4a4VP/WjnNDC
153O5ZsmsTAKmvo6hoTPNAXomg8CgEgK8N7hTRfCrMkieFz1wlMD38PNkhTJJ7opN/3
154VxX5mAj+6OqmnhoLtO+VQI+K1cNuad8xsvl+MbOmrK+yEnp15dGevM9ws7ybngJ4
155qhNXIpFl6fxcTLoalPDLZFWU935RbEIbzj6yYxfJs9nxqYOEDm8oFAwNkK2FNMeS
1560RYnaat6Ml8/KPTQDg3KNKN7qRcegLofRrE4xIEWV15liASTtFlzR/ZS+kYJN/b9
157vlcnOAj8SfwFVS5mg7ryHt/eC2Y3tx670o8zqWwSZ1lVomPybJdAFwwY4kWOV2pQ
158nGtuamOJg9JIGbPb9LLglbXDexbdkWLpN5i++2FUoqe3mGnf+RRAu46RG5PCBZ3+
1591g+7tCuwVRMT4FTPLmdORJbUQecDkyAD8BE3DuF+7hZrzQi/oiDa8mdvORy4l8fA
160QtZYZzk5hURw7zRM87IzZedm0dpBseybhKvtvRltOt6pr8h/p+SsnYiL
161=C5JG
162-----END PGP PUBLIC KEY BLOCK-----
diff --git a/doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt b/doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
new file mode 100644
index 0000000..6094cc0
--- /dev/null
+++ b/doc/source/_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
@@ -0,0 +1,71 @@
1pub rsa4096 2018-01-11 [SC] [expires: 2019-03-23]
2 FB2EE15B2F0F12662B68ED9603750DEC158E5FA2
3uid [ultimate] Tobias Henkel <tobias.henkel@bmw-carit.de>
4uid [ultimate] Tobias Henkel <tobias.henkel@bmw.de>
5sub rsa4096 2018-01-11 [E] [expires: 2019-03-23]
6
7-----BEGIN PGP PUBLIC KEY BLOCK-----
8
9mQINBFpXBi8BEACnNMAX1sljAopBAZ/3fYVBC3R7AwwujALt4PzbysUmy1XKB2zb
10ZEu8XNyBIYX0DDIBFvTyVHTjY2ztF6VVEovYOc1BdEZivvxSXuK/AWnZDASXmN0Y
11TlHKiNLo+fI3j1esMIEaKb1DmJOwxSY4MxiUSZ9XRgn0tn/u5kktzjcicnhAmWL5
12V1H77bHiOu1+N9AWDFslYPdI4vaRcK6Vo3ePyviLSGN6LGX7qHIPyUKGctRQlADL
13vdyK3tBfexA2GqueLTWBezO9V02BkIQVbvkwrJbx5IOw4xwa+JcJgRT4voxqB4vg
14ukuJEiovP/JPQ+r7Mp9o+3BzhcePbL5amNLBPYio1tXQ0m675SNplrSRc9tYMaMq
15uRGXAvgEH1WrO5k1jdwkjmk84h/EPckRO2MKr1Jv6bTotrnkkb7hnXUn533G89e2
16F4IM6pV0Uf8Y58iaBnWj+C80wp9B8wp8OYI4uhmB7nv0O0ZZl5sal6AMxG9jgaSd
17Wb/wOTYZRgI9MDC1HKyafxBWuGuK9ZylqzNuQAfPhCUjqXfg1rAR5LKG/Fhpdhjq
189ngF8QEKN5jvFXUQzSvTvQVZnbALDPS60D/uyLyWSR61/IzhLiyLnS8AIwUCnKY9
19RVVn8it4HE0o4MeoX2SWTQgu73Yn6fhMhq3pfNYpYRH/Or2UAo2LZKOQnQARAQAB
20tCpUb2JpYXMgSGVua2VsIDx0b2JpYXMuaGVua2VsQGJtdy1jYXJpdC5kZT6JAlUE
21EwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE+y7hWy8PEmYraO2W
22A3UN7BWOX6IFAlq1BvEFCQI/NEIACgkQA3UN7BWOX6JaIA/8DkfZFwwFu8f+gXGg
23Cj0x7b8g59zy5EOOrJJ1YLVfesm1s1b15Gdww1VD5imPTsD6wP4CSOpDLFkKDT6r
24PqBJuIrVWZ/xZE9vkBxNgx/RmWhGXkMklRegAXxcXyse/liFypy+194frtVYM4BJ
25kq08KQJftZPHoljUX02yfxtsygHl4t4E/zIMSHDjQZ4B/vcE8SXs5/zWrACpu1/l
26PdP415YQ9pXlhIIMhcl5nFS+DOfVitaIBSkchqadxr1+Qkw31TeSl+dy2s7hneWN
272tG3plP1vQA1hzf5UGzMvFCaLYjnBAjKVZF5bqE+bNI2Q5o+U5fCSqFytWy7OW2M
28cTmf+Flwe1zf4RkVsGHcleweeQ9IDeAGBm/t3YPn2KNIby5/u8csJFcbWsS2v8is
297EVwEVv8N1mpa2eK7joYRKDijEy3okKkYoQWOAKSkZwyqpcTVn8gbAIJPiaI96we
30xErHhrQe42cnKqwVHkLzh66zpEhpgJhjGmmFOfkJUB46vMcoiiowZHsx0wPaWwte
310MHHvpmuQYC3+dlbfbGAd2V1K4WtVu2Kng1n/7rY1wGyyIShVjdFThrArkJKErkL
32yG93fFXqFbqmUjqPWv8qdu3Ncn7LH55j2l3DkYYuu2kEF6zf1lJYU8A46UnNpN4B
3311FZ/ruMXYGg1iC8QJB7mKhmiXG0JFRvYmlhcyBIZW5rZWwgPHRvYmlhcy5oZW5r
34ZWxAYm13LmRlPokCVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AW
35IQT7LuFbLw8SZito7ZYDdQ3sFY5fogUCWrUG8QUJAj80QgAKCRADdQ3sFY5fopnD
36D/9pB+msaygKwuGZDX10wl5vv8mbmI0Y2nWODIJ4c8uJWAEJgZMSI/R7oYRKiHdV
37hqv7yTIrX9m3OWq+PLE865dFEtWiXoHiz56leNYFWIUunmjxoW9Kcdb9fVyTRUlI
38j0o9LKWqZJcihncBlOHVQVNAzeaSaoDQVN40tOInxUKwquvFws1vaKMCan2UJpsw
39XrfZl/WjLTEHnT+LuSdlDL1uNn9fpR/glVE0damQcah0uUOYRwpVhiPvaThv68cU
40W1Wwj/7oLt5NS62oByIYcPX5fzFGh+0A6t1PAqdjJp/QvlOjK+KT2VkpghPcVghC
41zYr7s4WEAYrmvY3QCCIUPaBaoH1ydIXc6ZQp2edfSgi4o1mGOaYziWkvLvKg34S6
42Yzk211kBE8VZMz98+gpHCo9tA+brChFIB6V2txrHAdhzdd/MnM1SEuB60bzxJ3rX
43ZMqJNwZguOVxxlBs3hMMapEMSBpVQv2lqFjocw7g7olPMJcaHuC+edxN2krkwpvl
44lM4hd2jdepA1IT3clsCvMku5UB4f1QUQx+AFxAirTQkczMdjQGi8UtScjULCyO2H
45M+lQjRYWa7x5FEM8m2+CMyKnyvCS6SQq3Uw9NNJ5PsaMQOwTaedilnmI538qbImZ
46oChztVVU2byPw0V+R7De7kS5O6TB4Nc/GdrYUoBmeKprwLkCDQRaVwYvARAAu6F3
47lC4NVK6uxZQT8hVbnmATm5yk1BOVP1pd+HeY1yGzbOPkIhPg6dNjxSEaSRvF26yw
48jhFI940b9fa/mqPBPCRyt8XkRfZHr91qf/amNxs/LSAgAdGsrpFDG6TVkGDJfPlL
496XkdLtQdBuGHiFDABH3SCx4pfYYQvNX0Z0wEYIOm4Dkj2k1ceEDK7oizkZCzHhao
50mzLKkNHH9rbaq5WV0DxLjQla9JjE1HlMyL5HT/oM9Qs7PCMqqczV0D8gmCcx+uBD
51j6BWTnpWRgVWVg/O3ulrAU4XaVy8eJ0hiFPBuD1SIFaby2MBlbbJwWWNQtimXc6H
52zS4YSLWGN7rsU/UDKriFbaycHopD2OAJsx6xvuDV6lWMQhN/3PHMvIpNuqw2IzHA
53Y+wqHwlsa+xDuVISNc9sVj9le6r7SKJ8VvbgJbrcQ4LIgBvgtqr+PHvE3ygscpUr
54AKYvEHgu40X+A8Q6VP8DQ5sdTvJbLJSrJVK6uCcS8tzDrLFax/VYAez+PxsXhLKB
55kv/zG9ZE1Utb+B0OQIlwsK4nIz5p8obdWsrrMSm7JEKh6NQKa4qO1VvsxgARAT6i
564CS/8NywYe8eXyN+M9BOl+f7RuzfQukd5dYas3YE+JrHg5TEueUqHxKGQv21PAb3
57F/yMm7CVTvw30CAZqW0vShw79YWYdEO3lkVB050AEQEAAYkCPAQYAQgAJgIbDBYh
58BPsu4VsvDxJmK2jtlgN1DewVjl+iBQJatQcNBQkCPzReAAoJEAN1DewVjl+itPIP
59/RTbOYHUdZWeXcCqGiU5G/+mxlnrEPHR+B5idRZTEPClIzHGuywRai7BLDSq5t+t
60GAhO4kjKuaUIo7UUOlCK9dgn9l/jl7hh6HEjUX1JAwgpWlnwIJTqAiklZhvx9BWb
61GBF2mzlDYIR6FP/JBJIWMuBZxnNjMV8lEaH0675xrLHD1W8VJsybqqoqN+zLQrP4
62YY/xrSQJA968LuxYpWmWbhTzYuNv6fsQSlF36ayrAjxGfJ2zQ7wwfF5Kbo6tFDyx
63R7UwdVxDc0FmABPs+skbOjjAZP7IB8ZjBb6+BrDCEUXOEfjv7Xwo5RoxmPAH3a8L
64LuQAKrpz3fwlXyL0vyOtNN2vhGTmR9zCap37PlFZ/zI8VdVRaLenYwcglEtoxy6A
65d3kFO7ZOdk+D9zVm7inv8aKZ4ru8FLVwSDVEEP00P0a7NbyMs5PkpK29+xqAbkq+
664xhq0sW1TdB+7W13G/2nymzJ58x9pXQwSVQZLVIbnmf7rGp0Z+CrcnV+XkZOVqPQ
67tQvWIshx11oB/oBkUr4109Lg+qOti+jQ1aT8KxVIFBITl1HLm9vpIy24qFLpGdIh
68wIHaKIZS27Rkje/xzfl6qJ3xBsIY0Bh/z2xe8jvJ55VN2FNDxAXh8i7grV+77Xqh
69Y1Ls9ADOLHGQfS+2i9J89mU+XCyxNTpbRy/d86WN5Unj
70=NkrA
71-----END PGP PUBLIC KEY BLOCK-----
diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst
index 31ed7b6..b7eed9e 100644
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@@ -18,3 +18,4 @@ configure it to meet your needs.
18 encryption 18 encryption
19 badges 19 badges
20 howtos 20 howtos
21 vulnerabilities
diff --git a/doc/source/user/vulnerabilities.rst b/doc/source/user/vulnerabilities.rst
new file mode 100644
index 0000000..2384ef9
--- /dev/null
+++ b/doc/source/user/vulnerabilities.rst
@@ -0,0 +1,68 @@
1:title: Vulnerability Reporting
2
3.. _vulnerability-reporting:
4
5Vulnerability Reporting
6=======================
7
8Zuul strives to be as secure as possible, implementing a layered
9defense-in-depth approach where any untrusted code is executed and
10leveraging well-reviewed popular libraries for its cryptographic
11needs. Still, bugs are inevitable and security bugs are no exception
12to that rule.
13
14If you've found a bug in Zuul and you suspect it may compromise the
15security of some part of the system, we'd appreciate the opportunity
16to privately discuss the details before any suspected vulnerability
17is made public. There are a couple possible ways you can bring
18security bugs to our attention:
19
20Create a Private Story in StoryBoard
21------------------------------------
22
23You can create a private story at the following URL:
24
25`<https://storyboard.openstack.org/#!/story/new?force_private=true>`_
26
27Using this particular reporting URL helps prevent you from
28forgetting to set the ``Private`` checkbox in the new story UI
29before saving. If you're doing this from a normal story creation
30workflow instead, please make sure to set this checkbox first.
31
32Enter a short but memorable title for your vulnerability report and
33provide risks, concerns or other relevant details in the description
34field. Where it lists teams and users that can see this story, add
35the ``zuul-security`` team so they'll be able to work on triaging
36it. For the initial task, select the project to which this is
37specific (e.g., ``openstack-infra/zuul`` or
38``openstack-infra/nodepool``) and if it relates to additional
39projects you can add another task for each of them making sure to
40include a relevant title for each task. When you've included all the
41detail and tasks you want, save the new story and then you can
42continue commenting on it normally. Please don't remove the
43``Private`` setting, and instead wait for one of the zuul-security
44reviewers to do this once it's deemed safe.
45
46Report via Encrypted E-mail
47---------------------------
48
49If the issue is extremely sensitive or you’re otherwise unable to
50use the task tracker directly, please send an E-mail message to one
51or more members of the Zuul security team. You’re encouraged to
52encrypt messages to their OpenPGP keys, which can be found linked
53below and also on the keyserver network with the following
54fingerprints:
55
56.. TODO: add some more contacts/keys here
57
58* Jeremy Stanley <fungi@yuggoth.org>:
59 `key 0x97ae496fc02dec9fc353b2e748f9961143495829`_ (details__)
60
61* Tobias Henkel <tobias.henkel@bmw.de>:
62 `key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`_ (details__)
63
64.. _`key 0x97ae496fc02dec9fc353b2e748f9961143495829`: ../_static/0x97ae496fc02dec9fc353b2e748f9961143495829.txt
65.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0x97ae496fc02dec9fc353b2e748f9961143495829&fingerprint=on
66
67.. _`key 0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2`: ../_static/0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2.txt
68.. __: https://sks-keyservers.net/pks/lookup?op=vindex&search=0xfb2ee15b2f0f12662b68ed9603750dec158e5fa2&fingerprint=on