We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
The Azure Stack team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them to the maintainer @mtnvencenzo
To help us better understand the nature and scope of the possible issue, please include as much of the following information as possible:
- π― Type of issue (e.g., container escape, exposed credentials, insecure defaults, etc.)
- π Full paths of source file(s) related to the manifestation of the issue
- π Location of the affected source code (tag/branch/commit or direct URL)
- βοΈ Special configuration required to reproduce the issue
- π Step-by-step instructions to reproduce the issue
- π₯ Proof-of-concept or exploit code (if possible)
- π― Impact of the issue, including how an attacker might exploit the issue
- Initial Response: Within 48 hours of receiving your report
- Status Update: Within 7 days with a more detailed response
- Resolution: We aim to resolve critical issues within 30 days
We believe in acknowledging security researchers who help improve our security:
- π Security Advisory: We will credit you in the security advisory (unless you prefer to remain anonymous)
- ποΈ Hall of Fame: Recognition in our security contributors list
- π Keep Updated: Always use the latest version of the Docker images
- π Network Security: Run containers on isolated networks when possible
- π Local Use Only: These emulators are designed for local development only
- π± Environment Security: Keep your Docker environment and host system updated
- π‘οΈ Container Security: Use official Microsoft images for Azure service emulators
- π Network Isolation: Configure proper network segmentation
- π Monitoring: Monitor container logs for unusual activity
- π Updates: Keep Docker images updated via Dependabot
Our security measures include:
- β Official Images: Using only official Microsoft Azure emulator images
- β Network Isolation: Containers run on isolated Docker networks
- β Local Development: Services designed for local development environments only
- β Dependency Scanning: Automated via Dependabot
- β Regular Updates: Keeping emulator images current
- β Documentation: Clear security guidelines and best practices
Thank you for helping keep Azure Stack and our users safe! π΅