buoyant.io

CVE and Security Patch Policy

Buoyant Enterprise for Linkerd is our production-ready distribution of Linkerd, and we provide certain security guarantees to our users and customers. In this document, we describe our approach to security vulnerabilities (colloquially, “CVEs”) that are reported to the project.

From the Linkerd project security statement:

Security is critical to Linkerd and we take it very seriously. Not only must Linkerd be secure, it must improve the security of the system around it. To this end, every aspect of Linkerd’s development is done with security in mind.

Linkerd makes use of a variety of tools to ensure software security, including:

  • Code review
  • Dependency hygiene and supply chain security via dependabot
  • Fuzz testing
  • Third-party security audits
  • And other forms of manual, static, and dynamic checking.

Any security vulnerability that actually impacts Linkerd users will receive immediate attention and be fixed as rapidly as possible, including:

  • In open source Linkerd, where it will become available in the next edge release;
  • In the latest BEL stable version, where the fix will be backported and a new minor version stable release published; and
  • In earlier BEL stable releases, where the fix will be backported and a new minor version stable release published.

If you run BEL, you should expect that the latest version will never contain any known security vulnerabilities that will affect you. (Or if it does, it was recently reported and we are already working on a fix.)

The majority of security vulnerabilities reported to the project don’t actually impact Linkerd. These are often CVEs in underlying libraries or container images that are not used directly by Linkerd, or are used in a way such that the vulnerability does not affect Linkerd users.

For these non-affecting CVEs, our approach is:

  • We issue a hotpatch release which fixes this CVE. These hotpatch releases are only available under certain plans; see the Plans and Pricing page for details.
  • In the next stable release, whenever it is released, we include all CVEs remediations published as hotpatches since the previous stable release.

Thus, even though they don’t impact Linkerd, all BEL users will ultimatley receive these fixes, and customers who are required to adhere to strict compliance policies around CVEs can make use of hotpatch releases to satisfy this requirement.