-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #437 from viccuad/expand-disclosure
Expand security disclosure
- Loading branch information
Showing
1 changed file
with
12 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,7 +13,6 @@ doc-topic: [security, disclosure] | |
| <link rel="canonical" href="https://docs.kubewarden.io/disclosure"/> | ||
| </head> | ||
|
|
||
|
|
||
| The Kubewarden team greatly appreciates investigative work into security | ||
| vulnerabilities carried out by well-intentioned, ethical security researchers. | ||
| We follow the practice of [responsible | ||
|
|
@@ -23,20 +22,27 @@ side, this means: | |
|
|
||
| - We will respond to security incidents on priority. | ||
| - We will release fixes for issues as soon as is practical, keeping in mind | ||
| that not all risks are created equal. | ||
| that not all risks are created equal. | ||
| - We will always transparently let the community know about any incident that | ||
| affects them. | ||
|
|
||
| If you have found a security vulnerability in Kubewarden, we kindly ask that | ||
| you disclose it responsibly by emailing | ||
| If you have found a security vulnerability in Kubewarden, the easiest way to | ||
| report a vulnerability is through the [Security tab on | ||
| GitHub](https://github.com/kubewarden/community/security/advisories). This | ||
| mechanism allows maintainers to communicate privately with you, and you do not | ||
| need to encrypt your messages. | ||
|
|
||
| Alternatively, you can can disclose it responsibly by emailing | ||
| [[email protected]](mailto:[email protected]) | ||
| . Please do not discuss potential vulnerabilities in public without validating | ||
| in an **unencrypted** message. Please do not discuss potential vulnerabilities in public without validating | ||
| with us first. | ||
|
|
||
| You can also come talk to us at our [slack-room] in the Kubernetes Slack server. | ||
|
|
||
| On receipt the security team will: | ||
|
|
||
| - Review the report, verify the vulnerability and respond with confirmation | ||
| and/or further information requests. | ||
| and/or further information requests. | ||
| - Once the reported security bug has been addressed we will notify the | ||
| Researcher, who is then welcome to optionally disclose publicly. | ||
|
|
||
|
|
||