Skip to content

security: update versions and general info #11038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 17, 2025
Merged

security: update versions and general info #11038

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 53 additions & 11 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,61 @@
# Security Policy
# 🔒 Security Policy

Fluent Bit maintains active security support for a limited set of release lines. Security updates are provided for the versions listed below until their End-of-Maintenance (EOM) dates.

## Supported Versions

| Version | Status | Security Updates Until |
|-----------|------------|------------------------|
| **4.2.x** | ✅ Active | **June 30, 2026** |
| **4.1.x** | ✅ Active | **March 31, 2026** |
| **4.0.x** | ✅ Active | **December 31, 2025** |
| **3.2.x** | ❌ EOL | — |
| **< 3.2** | ❌ EOL | — |

> **Note:** 3.2 and earlier are End-of-Life (EOL) and receive no further fixes.

---

## Maintenance & Backport Policy

- We backport **critical** and **high-severity** security fixes to all **Active** branches listed above.
- Medium/low-severity fixes may be backported at the maintainers’ discretion.
- After a branch reaches **EOM**, no further patches are published for that line.
- Users are strongly encouraged to keep current with the latest **4.x** release line.

---

## 📣 Reporting a Vulnerability

Please report suspected vulnerabilities **privately**:

- Email: **[email protected]**
- Include: affected versions, environment, clear reproduction steps, logs/traces, and impact assessment if known.

**Please do not** file public GitHub issues for security reports.

**Response targets** (best effort):
- **Acknowledgement:** within 72 hours
- **Initial assessment:** within 7 days
- **Fix/Advisory:** coordinated with reporter; timing depends on severity and scope

---

## 🔐 Coordinated Disclosure

- We work with reporters to validate issues, develop fixes, and publish coordinated advisories.
- Public disclosure occurs once a fix or acceptable mitigation is available, or by mutual agreement.

---

| Version | Supported |
|---------| ------------------ |
| 4.0.x | :white_check_mark: |
| 3.2.x | :white_check_mark: |
| < 3.2 | :x: |
## 📢 Security Announcements

## Reporting a Vulnerability
- Security advisories and related notices are shared via:
- GitHub **Security Advisories** on the Fluent Bit repo
- GitHub **Discussions**: <https://github.com/fluent/fluent-bit/discussions>

Please get in touch with the team at [email protected], and we'll take it from there.
Thank you in advance for helping to keep Fluent-bit secure.
For third-party CVEs that may impact Fluent Bit, we will post an assessment and any required guidance through the channels above.

## Announcements
---

For related CVEs that may or not affect Fluent Bit we'll be doing the corresponding announcement through [discussions](https://github.com/fluent/fluent-bit/discussions).
_Last updated: October 17, 2025_
Loading