github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-28 04:21:03 +00:00
Code Issues Projects Releases Wiki Activity

Update SECURITY.md

Browse Source 
Co-authored-by: Greg Kurz <groug@kaod.org>
This commit is contained in:
Zvonko Kaiser 2025-06-27 15:45:26 -04:00
parent 8d5d08ce3b
commit 41d700548f
2 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
SECURITY.md
View File

@ -6,19 +6,21 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
## Reporting a Vulnerability
1. **Private first.**
* **Private first.**
Do **not** open a public GitHub issue or pull request.
2. **Use the repository Security tab.**
• Click **“Security ➜ Report a vulnerability.”**
• This creates a private, access-restricted issue visible only to Kata maintainers and designated security champions.
* **Use the offical Github documentation on how to report a vulnerability.**
[Creating a repository security advisory](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory)
3. **Response targets (OpenSSF guidelines).**
| Action | Target time | Notes |
| ------ | ----------- | ----- |
| Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
| Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. |
| Fix availability | **Next scheduled monthly release**<br/>(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. |
### What to Expect
Once you've reported a vulnerability, here's what you can expect from our security response process. We follow OpenSSF guidelines for response timing:
| Action | Target time | Notes |
| ------ | ----------- | ----- |
| Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
| Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. |
| Fix availability | **Next scheduled monthly release**<br/>(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. |
---
@ -26,7 +28,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
| Release | First published | Security-fix window |
|---------|-----------------|---------------------|
| **Latest monthly release** | see `git tag -l` | Actively maintained |
| **Latest monthly release** | see `git tag --sort=-creatordate \| head -n 1` | Actively maintained |
| Any prior release | — | **Unsupported** please upgrade |
> **Why no backports?**
@ -38,10 +40,10 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
1. We develop the fix on a private branch.
2. Once validated, we coordinate embargo dates with downstream consumers when appropriate.
3. The fix ships in **either**:
* A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series, **or**
* The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk.
4. After the fix is public, we request a CVE ID (if not already issued) and publish details.
3. We request a CVE ID from MITRE (or another CNA) if one hasn't already been assigned.
4. The fix and vulnerability details are published together in **either**:
* Common: The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk, **or**
* Exception: A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series.
---
@ -64,7 +66,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
A: No. Upgrade to the latest monthly release.
**Q: Can I get early access to embargoed fixes?**
A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](https://kata-containers/kata-containers/SECURITY_CONTACTS)) receive advance patches.
A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](SECURITY_CONTACTS)) receive advance patches.
**Q: Where can I discuss the vulnerability once it is public?**
A: Open/continue a GitHub issue **after** the advisory is published, or use `#kata-containers` on Slack with a link to the advisory.

6
SECURITY_CONTACTS
View File

@ -1,9 +1,13 @@
# Copyright (c) 2025 Kata Containers Authors
#
# SPDX-License-Identifier: Apache-2.0
#
# Defined below are the security contacts for this repo.
#
# They are the contact point for the Product Security Committee to reach out
# to for triaging and handling of incoming issues.
#
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
# INSTRUCTIONS AT hhttps://github.com/kata-containers/kata-containers/security
# INSTRUCTIONS AT [SECURITY.md](SECURITY.md)
@kata-containers/architecture-committee