The following documents the upstream cloud-init security policy.

File a Private Security Report with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. See the Ubuntu Security disclosure policy for more information.

If the reported bug is deemed a real security issue a CVE is assigned by the Canonical Security Team as CVE Numbering Authority (CNA).

If it is deemed a regular, non-security issue, the reporter will be asked to follow typical bug reporting procedures.

Disclosure of security issues will be made with a public statement. Once the determined time for disclosure has arrived the following will occur:

• A public bug is filed/made public with vulnerability details, CVE, mitigations and where to obtain the fix
• An announcement is made to GitHub Discussions