Security Vulnerabilities

    To make a report, send an email to the private mailing list with the vulnerability details. For normal product bugs unrelated to latent security vulnerabilities, please head to our Reporting Bugs page to learn what to do.

    Send us a report whenever you:

    • Are unsure whether or how a vulnerability affects Istio.
    • Think a vulnerability is present in another project that Istio depends on. For example, Envoy, Docker, or Kubernetes.

    When in doubt, please disclose privately. This includes, but is not limited to:

    • Any crash, especially in Envoy
    • Any security policy (like Authentication or Authorization) bypass or weakness
    • Any potential Denial of Service (DoS)

    When not to report a security vulnerability?

    Don’t send a vulnerability report if:

    • You need help tuning Istio components for security.
    • You need help applying security related updates.

    Any vulnerability information you share with the Istio security team stays within the Istio project. We don’t disseminate the information to other projects. We only share the information as needed to fix the issue.

    We keep the reporter updated as the status of the security issue moves from , to , to .

    Once a security vulnerability has been fully characterized, a fix is developed by the Istio team. The development and testing for the fix happens in a private GitHub repository in order to prevent premature disclosure of the vulnerability.

    The Istio project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable information to close Istio partners. The list is not intended for individuals to find out about security issues.

    On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:

    • Changes are merged from the private GitHub repository holding the fix into the appropriate set of public branches.

    • Release engineers ensure all necessary binaries are promptly built and published.

    • Once the binaries are available, an announcement is sent out on the following channels: