Ubuntu Security disclosure and embargo policy

Valid since: October 2020

Canonical and the Ubuntu Security Team participate in responsible disclosure and collaborate with the wider community on security issues. This describes how to contact the Ubuntu Security Team, what you can expect when you contact us, and what we expect from you.

About Canonical

Canonical publishes the Ubuntu operating system in collaboration with a community of Ubuntu developers. Canonical also publishes other software projects such as LXD, MAAS, Juju, snapd, Snapcraft, Landscape, Launchpad and Mir.

Canonical's Ubuntu Security Team tends to the security needs of the Ubuntu operating system and serves as a point of contact for Canonical-authored software, both proprietary and open-source, as well as Canonical-owned and -managed infrastructure.

Please contact us if you believe you have found a security issue in Ubuntu, Canonical software or Canonical services.

How to report an issue to us

You may report issues to the Ubuntu Security Team via the Launchpad.net bug reporting interface (ubuntu-bug <packagename> is the most convenient way to get to the bug reporting form). Please be aware that Launchpad.net will send email in plaintext in response to bug reports.

You may also send email to security@ubuntu.com. Email may optionally be encrypted to OpenPGP key 4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0

If you have a deadline for public disclosure, please let us know.

Scope

Ubuntu is built on the contributions of thousands of projects. Usually issues that affect Ubuntu will affect other projects and other Linux distributions. Sometimes we may ask reporters to contact upstream developers.

The Ubuntu distribution is divided into multiple pockets: main, universe, restricted, and multiverse. Packages in main are supported by the Ubuntu Security Team. Packages in universe and multiverse are supported by the community; the Ubuntu Security Team can sponsor fixes prepared and tested by community members.

Packages in restricted are supported by Canonical's business partners. The Ubuntu Security Team can coordinate with our partners.

Software written by Canonical, but delivered outside of Ubuntu, is supported by different teams at Canonical. The Ubuntu Security Team is happy to coordinate communication between external entities (i.e. analysts, reporters) and supporting teams within Canonical, as well as provide guidance and feedback.

The Canonical Launchpad code hosting service, Canonical Snap Store, and Canonical Juju Charm Store allows anyone to publish software to users. Launchpad, the Snap Store, and the Juju Charm Store provide a way to contact publishers. As per the terms and conditions for these services, publishers are solely responsible for support of their software. If you believe any of these services are being used to host or distribute malicious software, this can be reported either to the Ubuntu Security team or to the relevant platform as appropriate.

Ubuntu and Canonical software is distributed through many channels: Canonical-operated download sites, public cloud providers, and community-operated mirrors. Sometimes security issues may be due to customizations at specific providers or distributors; in which case we may ask reporters to contact another party for support.

Out of scope

We will not issue CVEs or fixes for software that is no longer supported. Please check if found issues affect supported versions of software.

Not all bugs are vulnerabilities. We use a common understanding of Internet-connected multi-user computers where some of the user accounts may have privileges. Because of this, our idea of what constitutes a vulnerability may not match definitions used by other organizations. We cannot promise every issue reported to us as a security vulnerability will be handled as one; when we differ, we will endeavor to explain our reasoning.

What to expect from us

We intend to provide an initial response to reporters within two business days.

The Ubuntu Security Team can assign CVE numbers for issues in Canonical software, as well as anything shipped in Ubuntu. We may direct the reporter to use cveform.mitre.org for publicly known issues in non-Canonical software to avoid duplicate assignments.

For issues that are not yet publicly known, we will abide by any embargoes as necessary. We reserve the right to release fixes before an embargo has expired if other parties disclose the issue before the agreed upon embargo date or if there is evidence of abuse.

We may or may not provide further information to reporters about similar issues. We may or may not ask reporters to collaborate on solutions or work-arounds. We may or may not ask reporters for assistance testing solutions or work-arounds.

We are not affiliated with any bug bounty programs. We do not ourselves pay for bug reports, in either our software or our infrastructure.

We are happy to give credit to reporters in our CVE assignments and in our Ubuntu Security Notices. We will use real names of discoverers, with no affiliations, in our USNs.

Disclosure timelines

When we assign a CVE, we intend to publish CVE details within one week after we provide update notifications or release new versions of software. We may publish CVE details before we provide fixes. Reporters are free to prepare whatever content they wish. We would like exploits and proof of concept exploits to be held private for at least one week after fixes are published to allow our users adequate time to test and install updates before exploits are easily available.

Safe harbour

Ubuntu is proudly built on the contributions of thousands and our security is no exception. We welcome responsible research into the security of our software to make Ubuntu and Canonical software secure for everyone.

However, we do not welcome active security probing of Canonical or Ubuntu infrastructure and services. If you believe you have found a security issue in Canonical or Ubuntu infrastructure or services please contact us.