Security disclosure

The Kubewarden team greatly appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We follow the practice of responsible disclosure in order to best protect Kubewarden’s user-base from the impact of security issues. On our side, this means:

  • We will respond to security incidents on priority.

  • We will release fixes for issues as soon as is practical, keeping in mind that not all risks are created equal.

  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability in Kubewarden, the easiest way to report a vulnerability is through the Security tab on GitHub. This mechanism allows maintainers to communicate privately with you, and you do not need to encrypt your messages.

Alternatively, you can can disclose it responsibly by emailing xref:cncf-kubewarden-maintainers@lists.cncf.io in an unencrypted message. Please do not discuss potential vulnerabilities in public without validating with us first.

You can also come talk to us at our slack-room in the Kubernetes Slack server.

On receipt the security team will:

  • Review the report, verify the vulnerability and respond with confirmation and/or further information requests.

  • Once the reported security bug has been addressed we will notify the Researcher, who is then welcome to optionally disclose publicly.

Please, refer to the community repository to find more about the project Governance and Security Policy.