To receive latest security and regular updates, users should stay up to date on all releases. Prior to the release of a 1.0.0 version only the latest released version will receive all security updates.
Please contact us at https://lakefs.io/contact-us/ if you need security updates for an earlier version.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We announce all releases on the lakefs-releases channel of our Slack workspace. There is also a mailing list for security announcements which you can join: security-announce@treeverse.io.
We take the security of lakeFS seriously. You can help us by following responsible disclosure guidelines.
If you believe you’ve discovered a serious vulnerability, please report it to us by emailing security@treeverse.io. Please do NOT open an issue as GitHub issues are publicly discoverable. We acknowledge reports within 24 hours. We will report progress to the email used for reporting.
We will evaluate your report and if necessary issue a fix and an advisory. We would like to credit you if the issue was unknown to us prior to your report; please tell us if you would prefer that we do not.
We will work to release a fix within 90 days. In rare conditions we may request an additional 14 days to release a fix. This is in line with disclosure policies such as those of Google Project Zero. Hopefully we shall release a fix well before then.