This document describes how the pgsty/minio maintainers investigate,
assess, and remediate reported vulnerabilities affecting this fork, any
directly shipped component, or a direct / indirect dependency used by this
repository.
This policy covers vulnerability reports opened by repository maintainers or
external third parties against pgsty/minio itself, its release artifacts, or
dependencies that materially affect this fork.
It defines the information needed for triage and the expected remediation workflow for supported fixes.
A useful vulnerability report should contain the following information:
- The project / component that contains the reported vulnerability.
- A description of the vulnerability. In particular, the type of the reported vulnerability and how it might be exploited. Alternatively, a well-established vulnerability identifier, such as a CVE or GHSA ID, can be used instead.
Based on the report, the pgsty/minio maintainers investigate:
- Whether the reported vulnerability exists.
- The conditions that are required such that the vulnerability can be exploited.
- Which releases, branches, or deployment paths are affected.
- The steps required to fix the vulnerability.
If the vulnerability exists in this fork itself, the maintainers will, when
feasible, fix the issue or implement reasonable countermeasures such that the
vulnerability can no longer be exploited. Fork-specific upgrade notes and
security advisories are published in docs/security/advisories.md.