Hubble Network Security Vulnerability Handling

Hubble Network is committed to maintaining a secure and reliable platform. This document outlines the security vulnerability reporting and management policy for Hubble Network.

Introduction

Vulnerabilities in the Hubble Network platform may be reported via email to the security@hubblenetwork.com mailing list. These reports will be acknowledged and analyzed by the security response team within 1 week. Each vulnerability will be entered into the Hubble Network Security Advisory system. The original submitter will be granted permission to view the issues they have reported.

Security Issue Management

Issues within the bug tracking system will transition through several states as described below:

digraph { node [style = rounded]; init [shape = point]; New [shape = box]; Triage [shape = box]; { rank = same; rankdir = LR; Assigned [shape = box]; Rejected [shape = box]; } Review [shape = box]; Accepted [shape = box]; Public [shape = box]; init -> New; New -> Triage; Triage -> Rejected [dir = both]; Triage -> Assigned; Assigned -> Review [dir = both]; Review -> Accepted; Review -> Rejected; Accepted -> Public; }

  • New: Represents new reports entered directly by a reporter. When entered by the response team in response to an email, the issue transitions directly to Triage.

  • Triage: The issue is awaiting analysis by the response team. The team will determine a responsible entity, assign the issue, and set its priority.

  • Assigned: The issue has been assigned and is awaiting a fix by the assignee.

  • Review: Once a pull request (PR) is created for the issue, the PR link will be added to a comment, and the issue will move to Review.

  • Accepted: Indicates that the issue has been merged into the appropriate branch.

  • Public: The embargo period has ended, and the issue will be made publicly visible. Associated CVEs and documentation will be updated.

The security advisories are kept private due to the sensitive nature of security reports. Access is limited to:

  • Members of the Project Security Incident Response Team (PSIRT).

  • The reporter.

  • Others as approved by Hubble Network.

Hubble Network will review reported vulnerabilities and determine if it needs to be embargoed based on:

  • Severity of the issue.

  • Exploitability of the issue.

Security-sensitive vulnerabilities will be made public after an embargo period of at most 90 days, allowing:

  • 30 days for Hubble Network to fix the issue.

  • 60 days for external parties to apply and distribute fixes.

Fix Recommendations

Fixes to the code shall be made through pull requests (PRs) in the Hubble Network GitHub repository and they will:

  • Avoid revealing sensitive details about the vulnerability.

  • Avoid referencing advisory information in PR descriptions.

Vulnerability Notification

Each Hubble Network release will include a report of vulnerabilities fixed in that release. After the embargo period, the vulnerabilities page will be updated with additional details, giving credit to reporters unless anonymity is requested.

When issues are triaged, Hubble Network will inform users of:

  • The Hubble Network Security Advisory link.

  • The area involved.

  • The severity of the issue.

After a PR fixing the issue is merged, customers will also be informed of:

  • The association between the advisory and the PR.

  • Backport plans within Hubble Network.

Backporting of Security Vulnerabilities

Each security issue fixed in Hubble Network will be backported to:

  • The two most recent releases.