buoyant.io

CVE and Security Patch Policy

Buoyant provides provides specific security guarantees around Buoyant Enterprise for Linkerd. In this document, we describe our approach to these guarantees.

Linkerd security statement

From the Linkerd project security statement:

Security is critical to Linkerd and we take it very seriously. Not only must Linkerd be secure, it must improve the security of the system around it. To this end, every aspect of Linkerd’s development is done with security in mind.

Linkerd makes use of a variety of tools to ensure software security, including:

  • Code review
  • Dependency hygiene and supply chain security via dependabot
  • Fuzz testing
  • Third-party security audits
  • And other forms of manual, static, and dynamic checking.

CVE policy

When CVEs are reported against Linkerd, we will triage them for impact to Linkerd. Vulnerabilities classified as medium severity or higher, and which Buoyant determines do affect Linkerd users, will receive immediate attention and be fixed as rapidly as possible, including:

  • In open source Linkerd, if necessary, where it will become available in an edge release;
  • In BEL versions under active support, where a new minor version stable release will be published.

CVEs of low or negligible criticality, or which we determine do not affect Linkerd, may not be addressed. Similarly, BEL versions outside of active support may not receive fixes.

Buoyant Security Advisories

To report a vulnerability in Buoyant software or view security advisories, see the Security page.