Join us December 14th for AlmaLinux Day: Tokyo! Read More

Vulnerability disclosure policy

Do you think you’ve found a security flaw in AlmaLinux OS or one of our related projects? Read below for how to responsibly report it!

Reporting a Vulnerability

Taking the time to report a security vulnerability to us is greatly appreciated, and we will use every resource at our disposal to respect your time during the reporting process. When reporting an issue, please provide as much information as possible, but at least:

  • The project and version (even better if you can identify the specific commit) where you identified the vulnerability
  • A detailed description of the steps to reproduce
  • If appropriate, please include a proof of concept (plaintext only; no binaries)
  • Please also include your recommended remediation(s), if any, or any other concerns.

Do Not Send:

Sensitive or personal information.

Our maintainers will attempt to respond to and confirm your report within 2-3 days, but if you believe your report to be critical to user safety and security, please note as such in the subject. We are fortunate enough to have hundreds of thousands of systems relying on the expertise of the AlmaLinux OS Team, and we take security very seriously.

Example Report

- **Title**: Flaw in mouse_pretend_package prevents cat_catch_mouse from starting

- **Environment** (list all tested or believed to be impacted): AlmaLinux 8, Platform: X86_64, OS Version: 8.5

- **Description**:
    I am unable to start cat_catch_mouse. When I try to start, I see the following error:

    [root@localhost ~]# systemctl status cat_catch_mouse
    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Failed with result 'exit-code'.
    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Service RestartSec=100ms expired, scheduling restart.
    Month 08 00:18:43 localhost.localdomain systemd[1]: cat_catch_mouse.service: Start request repeated too quickly.
    Month 08 00:18:43 localhost.localdomain systemd[1]: Failed to start CatCatchMouse.

- **Steps to Reproduce**:
    < insert all the steps that are necessary to reproduce the error. For example: >

    1. Install AlmaLinux 8.4 and update to 8.5.
    2. Run `sudo dnf install mouse_pretend_package`.
    3. Run `sudo systemctl enable --now cat_catch_mouse`.
    4. Try running `./alma_cat --list-all-mice`

- **Expected Result**: We catch all the mice and see an output of "below is a list of all mice that have been caught".

- **Actual Result**: `cat_catch_mouse.service` stops immediately with an exit code error.

- **Severity**: Urgent

Where to Report

  • For any issue that requires a coordinated release, send your report to security@almalinux.org directly so we can coordinate a responsible patch and release.

  • For issues that are directly related to the AlmaLinux operating system itself and do not require coordinated disclosure, please send your report to bugs.almalinux.org, this ensures that your report is received by the right people.

  • For non OS-related reports (.e.g Elevate, almalinux.org website, etc), open an issue on the GitHub repo for that part of the project.

Feel free to stay connected via our security channel on Mattermost, or join the Testing & QA channel to get involved in further testing activities.

Stay updated!