Security updates will be released for all major versions that have had releases in the last year.
Please provide a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
The easiest way to report a security issue is through GitHub's security advisory for this project. See Privately reporting a security vulnerability for instructions on reporting using GitHub's security advisory feature.
The Concierge GitHub admins will be notified of the issue and will work with you to determine whether the issue qualifies as a security issue and, if so, in which component. We will then figure out a fix, get a CVE assigned, and coordinate the release of the fix.
You may also send email to [email protected]. Email may optionally be
encrypted to OpenPGP key
4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0
If you have a deadline for public disclosure, please let us know. Our vulnerability management team intends to respond within 3 working days of your report. This project aims to resolve all vulnerabilities within 90 days.
The Ubuntu Security disclosure and embargo policy contains more information about what you can expect when you contact us, and what we expect from you.
Concierge uses cryptographic technology to securely download Snaps and Debian packages from the Ubuntu archive to install. Some of those tools, such as Juju, will in turn use crytographic technology to securely download images and other data needed to initialise.
Concierge uses apt to install Debian packages, and Snap (via the snapcore/snapd library)) to install Snaps.
See more:
No additional steps are required to harden your system when using Concierge.
See also:
Concierge does not add any risks over manually installing and configuring the Snaps and other packages included in the presets. However, users should be familiar with the security of each of the installed products.
See also:
If you are providing credentials to Concierge for clouds, ensure that these are stored securely.