At the Docker project we’ve been around for less than twelve months but we’ve learnt a lot from some of the open source projects that have come before us. Indeed we’re not shy about talking about the debt we owe to projects like the Linux kernel for our governance and operating models.
Like the projects before us, one of the aspects of open source accountability we take very seriously is security. We’re conscious that Docker is an infrastructure project that has been embraced by a wide range of people: from developers building applications locally right up to production deployments, including some of the major PAAS platforms.
One of the responsibilities that comes with being deployed in so many places is a serious focus on the security of Docker as a project and a platform. As a result we’ve decided to publish some robust security policies and a process to which you can report potential security issues with Docker.
At the core of these policies is our support for the responsible disclosure of security vulnerabilities. Docker is happy to fully disclose all details of a security vulnerability but in the interests of responsible disclosure we ask security researchers and reporters to allow us sufficient time to patch the vulnerability before publishing the details. We will provide credit to any researcher or reporter who provides details of a vulnerability to us.
If you identify a security issue with Docker then please send an email to the security mailbox with the details. We’re review all incoming issues and any resulting security announcements will be sent to the docker-user and docker-dev mailing lists.