The open-source DataHub project takes security seriously. As part of our commitment to maintaining a secure environment for our users and contributors, we have established a comprehensive security policy. This document outlines the key aspects of our approach to handling security vulnerabilities and keeping our community informed.
We have a proactive approach to security. To date we've successfully resolved many security related issues reported by community members or flagged by automated scanners (which includes upstream dependencies and what known risks the dependencies contain), demonstrating our commitment to maintaining a secure platform. This is a testament to the collaborative efforts of our community in identifying and helping us address potential vulnerabilities. It truly takes a village.
If you believe you've discovered a security vulnerability in DataHub, we encourage you to report it immediately. We have a dedicated process for handling security-related issues to ensure they're addressed promptly and discreetly.
For detailed instructions on how to report a security vulnerability, including our PGP key for encrypted communications, please visit our official security policy page:
We kindly ask that you do not disclose the vulnerability publicly until the committers have had the chance to address it and make an announcement.
Once a security issue is reported, the project follows a structured process to ensure that each report is handled with the attention and urgency it deserves. This includes:
- Verifying the reported vulnerability
- Assessing its potential impact
- Developing and testing a fix
- Releasing security patches
- Coordinating the public disclosure of the vulnerability
All reported vulnerabilities are carefully assessed and triaged internally to ensure appropriate action is taken.
While we appreciate the value of automated vulnerability detection systems like Dependabot, we want to emphasize the importance of critical thinking when addressing flagged issues. These systems are excellent at providing signals of potential vulnerabilities, but they shouldn't be followed blindly.
Here's why:
-
Context matters: An issue flagged might only affect a non-serving component of the stack (such as our docs-website code or our CI smoke tests), which may not pose a significant risk to the overall system.
-
False positives: Sometimes, these systems may flag vulnerabilities in libraries that are linked but not actively used. For example, a vulnerability in an email library might be flagged even if the software never sends emails.
-
Exploit feasibility: Some vulnerabilities may be technically present but extremely difficult or impractical to exploit in real-world scenarios. Automated scanners often don't consider the actual implementation details or security controls that might mitigate the risk. For example, a reported SQL injection vulnerability might exist in theory, but if the application uses parameterized queries or has proper input validation in place, the actual risk could be significantly lower than the scanner suggests.
We carefully review all automated alerts in the context of our specific implementation to determine the actual risk and appropriate action.
Transparency is key in maintaining trust within our open-source community. To keep everyone informed about security-related matters:
- We maintain Security Advisories on the DataHub project GitHub repository
- These advisories include summaries of security issues, details on the fixes implemented, and any necessary mitigation steps for users
Security is an ongoing process, and we're committed to continuously improving our practices. By working together with our community of users and contributors, we aim to maintain DataHub as a secure and reliable metadata platform.
We encourage all users to stay updated with our security announcements and to promptly apply any security patches released. Together, we can ensure a safer environment for everyone in the DataHub community.