If you uncover a security problem with Firecracker, please write to us on [email protected].
Once the Firecracker maintainers become aware (or are made aware) of a security vulnerability, they will immediately assess it. Based on impact and complexity, they will determine an embargo period (if externally reported, the period will be agreed upon with the external party).
During the embargo period, maintainers will prioritize developing a fix over other activities. Within this period, maintainers may also notify a limited number of trusted parties via a pre-disclosure list, providing them with technical information, a risk assessment, and early access to a fix.
The external customers are included in this group based on the scale of their Firecracker usage in production. The pre-disclosure list may also contain significant external security contributors that can join the effort to fix the vulnerability during the embargo period.
At the end of the embargo period, maintainers will publicly release information about the vulnerability together with the Firecracker patches that mitigate it.