Reporting a vulnerability
If you believe you've found a security issue in Stowage, please report it privately first. Do not open a public GitHub issue.
#How to report
The preferred channel is GitHub Security Advisories:
- Open the project's GitHub page:
https://github.com/stowage-dev/stowage. - Go to Security → Advisories → Report a vulnerability.
- Submit your report.
This routes the report to the maintainer privately and gives us a shared workspace to triage and patch.
#What to include
- The Stowage version (
stowage --helpprints it; releases are tagged atv1.0.0,v1.0.1, etc.). - The deployment shape (binary on a host, Docker, Helm chart).
- A clear description of the issue and how to reproduce it.
- Any suggested mitigation if you have one.
- An estimate of the impact (data exposure, RCE, DoS, etc.).
#What we'll do
- Acknowledge the report within 5 business days.
- Triage and confirm reproduction.
- Develop a fix, with you in the loop on the GHSA thread.
- Coordinate disclosure timing — typically the patch ships first, the advisory goes public on the same day.
- Credit the reporter (with permission) in the release notes and the GHSA.
#Scope
In scope:
- The
stowagebinary and thestowage-operatorbinary. - The Helm chart and Docker images shipped from this repository.
- The install scripts (
install.sh,install.ps1).
Out of scope:
- Vulnerabilities in upstream backends (MinIO, Garage, etc.). Report those to the respective vendors.
- Configuration mistakes that aren't enabled by Stowage's defaults.
- Issues that require local administrative access to the Stowage host (e.g. modifying the binary on disk).
#Safe-harbour
We will not pursue legal action against researchers who:
- Report in good faith via the channel above.
- Don't access data they aren't entitled to.
- Don't degrade availability for other users.
- Give us reasonable time to fix before public disclosure.