On 27.02.20 17:16, Julien Pivotto wrote: > On 27 Feb 08:12, Mihai Iordache wrote: > > I have some additional questions as following: > > 1. Are you performing regularly pentests ? if yes, how often ? > > As https://prometheus.io/docs/operating/security/#external-audits > > There was a pentest in 2018. There will probably be a new one in 2020, > to be confirmed.
That was an audit. I wouldn't call that a pentest. > > 2. All high and critical issues are addressed in a short amount of time ? > > Prometheus is an open source project and we address those issues on a > best-effort basis. You try to do our best but we don't promise anything. > Some team members also closely follow golang releases for security > vulnerabilities. Exactly. If you want any kind of guarantee, you either have to contribute security fixes yourself, or you have to pay somebody to do it for you. (The latter is one of the many facets of building a business on top of open source software.) -- Björn Rabenstein [PGP-ID] 0x851C3DA17D748D03 [email] [email protected] -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20200302125314.GE27526%40jahnn.
