github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-28 20:41:04 +00:00
Code Issues Projects Releases Wiki Activity

Update SECURITY.md

Browse Source 
Co-authored-by: Greg Kurz <groug@kaod.org>
This commit is contained in:
Zvonko Kaiser 2025-06-27 15:45:26 -04:00
parent 8d5d08ce3b
commit 41d700548f
2 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
SECURITY.md
View File

@ -6,19 +6,21 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
## Reporting a Vulnerability ## Reporting a Vulnerability
1. **Private first.** * **Private first.**
Do **not** open a public GitHub issue or pull request. Do **not** open a public GitHub issue or pull request.
2. **Use the repository Security tab.** * **Use the offical Github documentation on how to report a vulnerability.**
• Click **“Security ➜ Report a vulnerability.”** [Creating a repository security advisory](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory)
• This creates a private, access-restricted issue visible only to Kata maintainers and designated security champions.
3. **Response targets (OpenSSF guidelines).** ### What to Expect
| Action | Target time | Notes |
| ------ | ----------- | ----- | Once you've reported a vulnerability, here's what you can expect from our security response process. We follow OpenSSF guidelines for response timing:
| Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
| Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. | | Action | Target time | Notes |
| Fix availability | **Next scheduled monthly release**<br/>(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. | | ------ | ----------- | ----- |
| Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
| Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. |
| Fix availability | **Next scheduled monthly release**<br/>(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. |
--- ---
@ -26,7 +28,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
| Release | First published | Security-fix window | | Release | First published | Security-fix window |
|---------|-----------------|---------------------| |---------|-----------------|---------------------|
| **Latest monthly release** | see `git tag -l` | Actively maintained | | **Latest monthly release** | see `git tag --sort=-creatordate \| head -n 1` | Actively maintained |
| Any prior release | — | **Unsupported** please upgrade | | Any prior release | — | **Unsupported** please upgrade |
> **Why no backports?** > **Why no backports?**
@ -38,10 +40,10 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
1. We develop the fix on a private branch. 1. We develop the fix on a private branch.
2. Once validated, we coordinate embargo dates with downstream consumers when appropriate. 2. Once validated, we coordinate embargo dates with downstream consumers when appropriate.
3. The fix ships in **either**: 3. We request a CVE ID from MITRE (or another CNA) if one hasn't already been assigned.
* A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series, **or** 4. The fix and vulnerability details are published together in **either**:
* The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk. * Common: The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk, **or**
4. After the fix is public, we request a CVE ID (if not already issued) and publish details. * Exception: A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series.
--- ---
@ -64,7 +66,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
A: No. Upgrade to the latest monthly release. A: No. Upgrade to the latest monthly release.
**Q: Can I get early access to embargoed fixes?** **Q: Can I get early access to embargoed fixes?**
A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](https://kata-containers/kata-containers/SECURITY_CONTACTS)) receive advance patches. A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](SECURITY_CONTACTS)) receive advance patches.
**Q: Where can I discuss the vulnerability once it is public?** **Q: Where can I discuss the vulnerability once it is public?**
A: Open/continue a GitHub issue **after** the advisory is published, or use `#kata-containers` on Slack with a link to the advisory. A: Open/continue a GitHub issue **after** the advisory is published, or use `#kata-containers` on Slack with a link to the advisory.

6
SECURITY_CONTACTS
View File

@ -1,9 +1,13 @@
# Copyright (c) 2025 Kata Containers Authors
#
# SPDX-License-Identifier: Apache-2.0
#
# Defined below are the security contacts for this repo. # Defined below are the security contacts for this repo.
# #
# They are the contact point for the Product Security Committee to reach out # They are the contact point for the Product Security Committee to reach out
# to for triaging and handling of incoming issues. # to for triaging and handling of incoming issues.
# #
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
# INSTRUCTIONS AT hhttps://github.com/kata-containers/kata-containers/security # INSTRUCTIONS AT [SECURITY.md](SECURITY.md)
@kata-containers/architecture-committee @kata-containers/architecture-committee