From a1fe41d214e4daea039e3e181ca5c0ea6d0d3feb Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Fri, 17 Oct 2025 10:29:07 -0600 Subject: [PATCH] security: update versions and general info Signed-off-by: Eduardo Silva --- SECURITY.md | 64 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 33bb7bd90d2..daa056f1fb8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,19 +1,61 @@ -# Security Policy +# πŸ”’ Security Policy + +Fluent Bit maintains active security support for a limited set of release lines. Security updates are provided for the versions listed below until their End-of-Maintenance (EOM) dates. ## Supported Versions +| Version | Status | Security Updates Until | +|-----------|------------|------------------------| +| **4.2.x** | βœ… Active | **June 30, 2026** | +| **4.1.x** | βœ… Active | **March 31, 2026** | +| **4.0.x** | βœ… Active | **December 31, 2025** | +| **3.2.x** | ❌ EOL | β€” | +| **< 3.2** | ❌ EOL | β€” | + +> **Note:** 3.2 and earlier are End-of-Life (EOL) and receive no further fixes. + +--- + +## Maintenance & Backport Policy + +- We backport **critical** and **high-severity** security fixes to all **Active** branches listed above. +- Medium/low-severity fixes may be backported at the maintainers’ discretion. +- After a branch reaches **EOM**, no further patches are published for that line. +- Users are strongly encouraged to keep current with the latest **4.x** release line. + +--- + +## πŸ“£ Reporting a Vulnerability + +Please report suspected vulnerabilities **privately**: + +- Email: **fluentbit-security@googlegroups.com** +- Include: affected versions, environment, clear reproduction steps, logs/traces, and impact assessment if known. + +**Please do not** file public GitHub issues for security reports. + +**Response targets** (best effort): +- **Acknowledgement:** within 72 hours +- **Initial assessment:** within 7 days +- **Fix/Advisory:** coordinated with reporter; timing depends on severity and scope + +--- + +## πŸ” Coordinated Disclosure + +- We work with reporters to validate issues, develop fixes, and publish coordinated advisories. +- Public disclosure occurs once a fix or acceptable mitigation is available, or by mutual agreement. + +--- -| Version | Supported | -|---------| ------------------ | -| 4.0.x | :white_check_mark: | -| 3.2.x | :white_check_mark: | -| < 3.2 | :x: | +## πŸ“’ Security Announcements -## Reporting a Vulnerability +- Security advisories and related notices are shared via: + - GitHub **Security Advisories** on the Fluent Bit repo + - GitHub **Discussions**: -Please get in touch with the team at fluentbit-security@googlegroups.com, and we'll take it from there. -Thank you in advance for helping to keep Fluent-bit secure. +For third-party CVEs that may impact Fluent Bit, we will post an assessment and any required guidance through the channels above. -## Announcements +--- -For related CVEs that may or not affect Fluent Bit we'll be doing the corresponding announcement through [discussions](https://github.com/fluent/fluent-bit/discussions). +_Last updated: October 17, 2025_ \ No newline at end of file