Reporting a vulnerability? See the Vulnerability Reporting section
We understand that many users place a high level of trust in Vector to collect and ship mission-critical data. The security of Vector is a top priority. That's why we apply widely accepted best practices when it comes to security. This document will describe these practices and aims to be as transparent as possible on our security efforts.
Project structure plays an important role in security. It creates guardrails that prevent common security issues. This section will outline our deliberate structural decisions that impact security.
We believe transparency is a strong deterrent of nefarious behavior that could otherwise undermine security.
Vector and its dependencies are open-source. All code and changes are publicly available at our Github repo. While the transparent nature open source helps to improve security, so does the large collaborative community behind Vector.
All of Vector's workflow is transparent. Pull requests, issues, chats, and our roadmap are all publicly available.
Version control ensures that all code changes are audited and authentic.
Vector leverages the Git version-control system. This ensures all changes are audited and traceable.
Because of Vector's merge style, commits to release branches are signed by Github itself during the squash and merge process. Commits to development branches are encouraged to be signed but not required since changes must go through a review process.
Vector cuts releases from the master
and v*
branches only. These branches
are protected. The exact requirements are:
- Cannot be deleted.
- Force pushes are not allowed.
- A linear history is required.
- Signed commits are required.
- Administrators are included in these checks.
Vector team members are required to review this security document as well as the contributing and reviewing documents.
Vector maintains this security policy. Changed are communicated to all Vector team members.
All Vector team members are required to enable two-factor authentication for their Github accounts.
Vector follows the principle of least privilege for its personnel access model. Vector maintains tiers user groups with tiered privileges to ensure users only have access to the minimal resources necessary.
When used, third-parties must also adhere to this security policy. Access is based on the principle of least privilege and removed when the contract ends.
The base of Vector's security lies in our choice of underlying technology and decisions around design and architecture.
The Rust programming language is memory and thread-safe; it will catch many common sources of vulnerabilities at compile time.
Vector does not allow the use of unsafe code except in circumstances where it is required, such as dealing with CFFI.
Vector is always designed to run under non-root
privileges, and our
documentation always defaults to non-root
use.
Vector aims to reduce the number of dependencies it relies on. If a dependency is added it goes through a comprehensive review process that is detailed in the Reviewing guide.
As noted above Vector uses the Git version control system on Github.
All changes to Vector must go through a pull request review process.
All pull requests must be reviewed by at least one Vector team member. The review process takes into account many factors, all of which are detailed in our Reviewing guide. In exceptional circumstances, this approval can be retroactive.
Vector requires pull requests to pass all automated checks. Once passed, the pull request must be squashed and merged. This creates a clean linear history with a Vector team member's co-sign.
When possible, we'll create automated checks to enforce security policies.
- Vector implements an automated
cargo deny
check. This is part of the Rust Security advisory database. The configuration, and a list of currently accepted advisories, are maintained in the Cargo Deny configuration. The check is run on every incoming PR to the Vector project. - Vector implements Dependabot which performs automated upgrades on dependencies and alerts about any dependency-related security vulernerabilities.
- We verify the security of our Docker images using Synk's vulnerability scanning.
If the advisory check fails then the PR will not be merged. We review each advisory to determine what action to take. If possible, we update the dependency to a version where the vulnerability has been addressed. If this isn't possible we either record the acceptance of the vulnerability or replace the dependency. If we accept the vulnerability we open a ticket to track its remediation, generally awaiting a fix upstream. If the risk is deemed unacceptable we revisit the code and dependency to find a more secure alternative.
Vector implements automated fuzz testing to probe our code for other sources of potential vulnerabilities.
Because Vector is an open-source project designed to be self-hosted it uses minimal infrastructure. Below we cover the various responsibilities for Vector's infrastructure and how we secure them.
All builds run in an isolated sandbox that is destroyed after each use.
Vector performs quarterly pen tests on timber.io and vector.dev.
All network traffic is secured via TLS and SSH. This includes checking out Vector's code from the relevant protected branch, Docker image retrieval, and publishing of Vector's release artifacts.
Changes to Vector's assets are logged through S3's audit logging feature.
All assets are signed with checksums allowing users to verify asset authenticity upon download. This verifies that assets have not been modified at rest.
Vector reviews this policy and all user access levels on a quarterly basis.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.
If you would like to report a vulnerability or have any security concerns with Vector, please e-mail vector@timber.io.
For non-critical matters, we prefer users open an issue. For us to best investigate your request, please include any of the following when reporting:
- Proof of concept
- Any tools, including versions used
- Any relevant output
We take all disclosures very seriously and will do our best to rapidly respond and verify the vulnerability before taking the necessary steps to fix it. After our initial reply to your disclosure, which should be directly after receiving it, we will periodically update you with the status of the fix.