1# Security Policy
2
3---
4
5<p align="center">
6  <strong>Reporting a vulnerability? See the <a href="#vulnerability-reporting">Vulnerability Reporting section</a></strong>
7</p>
8
9---
10
11We understand that many users place a high level of trust in Vector to collect
12and ship mission-critical data. The security of Vector is a top priority.
13That's why we apply widely accepted best practices when it comes to security.
14This document will describe these practices and aims to be as transparent as
15possible on our security efforts.
16
17<!-- MarkdownTOC autolink="true" style="ordered" indent="   " -->
18
191. [Project Structure](#project-structure)
20   1. [Transparency](#transparency)
21      1. [Open Source](#open-source)
22      1. [Workflow](#workflow)
23   1. [Version Control](#version-control)
24      1. [Git](#git)
25      1. [Signed Commits](#signed-commits)
26      1. [Protected Branches](#protected-branches)
271. [Personnel](#personnel)
28   1. [Education](#education)
29   1. [Policies](#policies)
30   1. [Two-factor Authentication](#two-factor-authentication)
311. [Development](#development)
32   1. [Design & Architecture](#design--architecture)
33      1. [Rust](#rust)
34      1. [Unsafe Code](#unsafe-code)
35      1. [User Privileges](#user-privileges)
36   1. [Dependencies](#dependencies)
37   1. [Change Control](#change-control)
38      1. [Pull Requests](#pull-requests)
39      1. [Reviews & Approvals](#reviews--approvals)
40      1. [Merge Policies](#merge-policies)
41      1. [Automated Checks](#automated-checks)
42         1. [Vulnerability Scans](#vulnerability-scans)
43         1. [Fuzz Testing](#fuzz-testing)
441. [Building & Releasing](#building--releasing)
45   1. [Network Security](#network-security)
46   1. [Runtime Isolation](#runtime-isolation)
47   1. [Asset Audit Logging](#asset-audit-logging)
48   1. [Asset Signatures & Checksums](#asset-signatures--checksums)
491. [Vulnerability Reporting](#vulnerability-reporting)
50
51<!-- /MarkdownTOC -->
52
53## Project Structure
54
55Project structure plays an important role in security. It creates guardrails
56that prevent common security issues. This section will outline our deliberate
57structural decisions that impact security.
58
59### Transparency
60
61We believe transparency is a strong deterrent of nefarious behavior that could
62otherwise undermine security.
63
64#### Open Source
65
66Vector and its dependencies are open-source. All code and changes are publicly
67available at [our Github repo][urls.vector_repo]. While the transparent nature
68open source helps to improve security, so does the large collaborative
69community behind Vector.
70
71#### Workflow
72
73All of Vector's workflow is transparent.
74[Pull requests][urls.vector_pull_requests], [issues][urls.vector_issues],
75[chats][urls.vector_chat], and [our roadmap][urls.vector_roadmap]
76are all publicly available.
77
78### Version Control
79
80Version control ensures that all code changes are audited and authentic.
81
82#### Git
83
84Vector leverages the [Git][urls.git] version-control system. This ensures all
85changes are audited and traceable.
86
87#### Signed Commits
88
89Because of Vector's [merge style](CONTRIBUTING.md#merge-style), commits to
90release branches are signed by Github itself during the squash and merge
91process. Commits to development branches are encouraged to be signed but not
92required since changes must go through a [review process](#reviews--approvals).
93
94#### Protected Branches
95
96Vector cuts releases from the `master` and `v*` branches _only_. These branches
97are [protected][urls.github_protected_branches]. The exact requirements are:
98
99* Cannot be deleted.
100* Force pushes are not allowed.
101* A linear history is required.
102* Signed commits are required.
103* Administrators are included in these checks.
104
105## Personnel
106
107### Education
108
109Vector team members are required to review this security document as well as
110the [contributing](CONTRIBUTING.md) and [reviewing](REVIEWING.md) documents.
111
112### Policies
113
114Vector maintains this security policy. Changed are communicated to all Vector
115team members.
116
117### Two-factor Authentication
118
119All Vector team members are required to enable two-factor authentication
120for their Github accounts.
121
122## Development
123
124### Design & Architecture
125
126The base of Vector's security lies in our choice of underlying technology and
127decisions around design and architecture.
128
129#### Rust
130
131The [Rust programming language][urls.rust] is memory and thread-safe; it will
132catch many common sources of vulnerabilities at compile time.
133
134#### Unsafe Code
135
136Vector does not allow the use of unsafe code except in circumstances where it
137is required, such as dealing with CFFI.
138
139#### User Privileges
140
141Vector is always designed to run under non-`root` privileges, and our
142documentation always defaults to non-`root` use.
143
144### Dependencies
145
146Vector aims to reduce the number of dependencies it relies on. If a dependency
147is added it goes through a comprehensive review process that is detailed in
148the [Reviewing guide](REVIEWING.md#dependencies).
149
150### Change Control
151
152As noted above Vector uses the Git version control system on Github.
153
154#### Pull Requests
155
156All changes to Vector must go through a pull request review process.
157
158#### Reviews & Approvals
159
160All pull requests must be reviewed by at least one Vector team member. The
161review process takes into account many factors, all of which are detailed in
162our [Reviewing guide](REVIEWING.md). In exceptional circumstances, this
163approval can be retroactive.
164
165#### Merge Policies
166
167Vector requires pull requests to pass all [automated checks](#automated-checks).
168Once passed, the pull request must be squashed and merged. This creates a clean
169linear history with a Vector team member's co-sign.
170
171#### Automated Checks
172
173When possible, we'll create automated checks to enforce security policies.
174
175##### Vulnerability Scans
176
177Vector implements an automated [`cargo deny` check][urls.cargo_deny]. This
178is part of the [Rust Security advisory database][urls.rust_sec].
179
180##### Fuzz Testing
181
182Vector implements automated fuzz testing to probe our code for other sources
183of potential vulnerabilities.
184
185## Building & Releasing
186
187Vector takes care to secure the build and release process to prevent unintended
188modifications.
189
190### Network Security
191
192All network traffic is secured via TLS and SSH. This includes checking out
193Vector's code from the relevant [protected branch](#protected-branches),
194Docker image retrieval, and publishment of Vector's release artifacts.
195
196### Runtime Isolation
197
198All builds run in an isolated sandbox that is destroyed after each use.
199
200### Asset Audit Logging
201
202Changes to Vector's assets are logged through S3's audit logging feature.
203
204### Asset Signatures & Checksums
205
206All assets are signed with checksums allowing users to verify asset authenticity
207upon download. This verifies that assets have not been modified at rest.
208
209## Vulnerability Reporting
210
211We deeply appreciate any effort to discover and disclose security
212vulnerabilities responsibly.
213
214If you would like to report a vulnerability or have any security concerns with
215Vector, please e-mail vector@timber.io.
216
217For non-critical matters, we prefer users [open an issue][urls.new_security_report].
218For us to best investigate your request, please include any of the
219following when reporting:
220
221* Proof of concept
222* Any tools, including versions used
223* Any relevant output
224
225We take all disclosures very seriously and will do our best to rapidly respond
226and verify the vulnerability before taking the necessary steps to fix it. After
227our initial reply to your disclosure, which should be directly after receiving
228it, we will periodically update you with the status of the fix.
229
230
231[urls.cargo_deny]: https://github.com/EmbarkStudios/cargo-deny
232[urls.git]: https://git-scm.com/
233[urls.github_protected_branches]: https://help.github.com/en/github/administering-a-repository/about-protected-branches
234[urls.new_security_report]: https://github.com/timberio/vector/issues/new?labels=domain%3A+security
235[urls.rust]: https://www.rust-lang.org/
236[urls.rust_sec]: https://rustsec.org/
237[urls.vector_chat]: https://chat.vector.dev
238[urls.vector_issues]: https://github.com/timberio/vector/issues
239[urls.vector_pull_requests]: https://github.com/timberio/vector/pulls
240[urls.vector_repo]: https://github.com/timberio/vector
241[urls.vector_roadmap]: https://github.com/timberio/vector/milestones?direction=asc&sort=due_date&state=open
242