James Turnbull

Docker and Security

At the Docker project we’ve been around for less than twelve months but we’ve learnt a lot from some of the open source projects that have come before us. Indeed we’re not shy about talking about the debt we owe to projects like the Linux kernel for our governance and operating models.

Like the projects before us, one of the aspects of open source accountability we take very seriously is security. We’re conscious that Docker is an infrastructure project that has been embraced by a wide range of people: from developers building applications locally right up to production deployments, including some of the major PAAS platforms.

One of the responsibilities that comes with being deployed in so many places is a serious focus on the security of Docker as a project and a platform. As a result we’ve decided to publish some robust security policies and a process to which you can report potential security issues with Docker.

At the core of these policies is our support for the responsible disclosure of security vulnerabilities. Docker is happy to fully disclose all details of a security vulnerability but in the interests of responsible disclosure we ask security researchers and reporters to allow us sufficient time to patch the vulnerability before publishing the details. We will provide credit to any researcher or reporter who provides details of a vulnerability to us.

If you identify a security issue with Docker then please send an email to the security mailbox with the details. We’re review all incoming issues and any resulting security announcements will be sent to the docker-user and docker-dev mailing lists.

, ,

James Turnbull

Docker and Security

3 Responses to “Docker and Security”

  1. Jeffrey Paul

    Please stop using the term “responsible disclosure”. It frames all disclosures that do not adhere to this narrowly-defined protocol as “irresponsible”, which is simply not the case.

    Full disclosure, for example, is not irresponsible. Selected disclosure (e.g. black market only, with no vendor notification) usually is.

    If you had to choose between having exploits only sold to criminals or unfriendly intelligence agencies, or posted to the full-disclosure list, which would you prefer?

    If it’s not the former, please stop using this “responsible disclosure” term that makes everyone who doesn’t operate exactly the way you’d like seem like an asshole when in reality they’re helping all of us become more secure, advance vendor notice or not.


    • James Turnbull

      James Turnbull

      Hi Jeffrey

      Thanks for your comments. We’re using the term ‘responsible disclosure’ both because it is industry recognized terminology and because it represents the most appropriate form of disclosure for our project. We believe responsible disclosure is a partnership. We’re asking that security researchers and contributors respect our security policy and responsibly disclose vulnerabilities and security issues to us prior to making them public. In return, our commitment to our community is that we’ll review, risk assess and, where needed, fix those vulnerabilities or identify appropriate remediations.

      Thanks again.

  2. Ryan

    Any chance of getting security updates without having to subscribe to the general user/dev mailing lists? That’s a lot of noise to have to filter out when you’re only concerned with security issues.


Leave a Reply

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.