HTCSS Security

This page contains information about security policies and procedures in the HTCSS.

Overview

We at HTCondor appreciate the community’s efforts to help us find and fix security problems. Following these general guidelines will keep things simple and straightforward.

Duration of Support

HTCondor will provide security fixes for the current feature version and the current LTS version. After releasing a new LTS version, we will also continue to support the previous LTS version for approximately twelve months. Please see our online manual on the HTCondor Support Life Cycle for the current support dates.

Discovery and Reporting

If you suspect or have confirmed a security problem with the HTCondor software, please email us at htcondor-security@cs.wisc.edu. As the person who discovered the vulnerability, we will work with you to establish a mutually agreeable timeline for announcing the vulnerability and releasing a new version.

Given the nature of security vulnerabilities, we prefer that you keep your findings strictly confidential. Please work with the HTCondor team to assess the full impact and create a timeline.

Fixing the Problem

It is the responsibility of the HTCondor developers to fix the problem. However, you may send your patch to htcondor-security@cs.wisc.edu for review by the HTCondor developers.

Coordinating with Downstream Providers

Before the public announcement, the HTCondor team will coordinate with downstream providers of the HTCondor software to let them know a new release is imminent, and we may provide updated source code and/or binaries to various parties at our discretion.

Publicly Announcing and Releasing

All public announcements will be made Monday through Thursday between 9AM and 5PM central time. The announcement will be sent to the HTCondor-users and HTCondor-world mailing lists; the HTCondor team keeps a web page listing all announced vulnerabilities.

When announcing the existence of a vulnerability, we will supply high-level details. The idea is to give just enough information so people can assess their risk and exposure, without giving away enough information to actually exploit the problem. These goals can be at odds with each other, and we generally tend towards being more vague if there is such a conflict.

The binaries and source code that fix the problem will be available from the HTCondor download page when the announcement is made.

Embargo

After publicly announcing the vulnerability and making the new version available, the full details will be embargoed for a minimum of 30 days. The embargo will be lifted at a date that is agreed upon by the HTCondor team and the person reporting the vulnerability. After that point, full details may be made public by any party and the vulnerability report posted on the HTCondor web site will be updated.