diff --git a/README.md b/README.md index b2ba9976ad..8d29b261cc 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ Please raise an issue [in this repository](https://github.com/kata-containers/kata-containers/issues). > **Note:** -> If you are reporting a security issue, please follow the [vulnerability reporting process](https://github.com/kata-containers/community#vulnerability-handling) +> If you are reporting a security issue, please follow the [vulnerability reporting process](SECURITY.md) ## Developers diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..f558106962 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,74 @@ +# Security Policy + +Kata Containers is a **rolling-release** project: every monthly release replaces the previous one, and only the _current_ release series receives security fixes. There are **no long-term-support branches**. + +--- + +## Reporting a Vulnerability + +### How to report + +- **Keep it private first.** + Please **do not** open a public GitHub issue or pull request for security problems. + +- **Use GitHub’s security advisory workflow** + Follow the official GitHub guide: + [Report a vulnerability privately](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/report-privately) + +### What happens after you submit + +We follow the OpenSSF vulnerability-handling guidelines. +The table below shows the target timelines we aim for once we receive your report. +These are independent objectives, not sequential steps. + +| Objective | Target time | Notes | +|-----------|-------------|-------| +| **Initial acknowledgement** | ≤ 14 calendar days | Maintainers confirm receipt and start triage. | +| **Triage & CVSS-v3.1 scoring** | ≤ 30 days | We assign severity and plan remediation. | +| **Fix availability** | Next scheduled monthly release
(or an out-of-band patch for Critical/High issues) | We may cut a `vX.Y.Z` patch if waiting a month poses undue risk. | +| **CVE assignment** | Before public disclosure | GitHub automatically requests a CVE ID when we publish the security advisory. | + +--- + +## Supported Versions + +| Release | First published | Security-fix window | +|---------|-----------------|---------------------| +| **Latest monthly release** | see `git tag --sort=-creatordate \| head -1` | Actively maintained | +| Any prior release | — | **Unsupported** – please upgrade | + +> **Why no backports?** +> Kata’s architecture evolves quickly; back-porting patches would re-introduce the very maintenance burden we avoid by using a rolling model. + +### For Downstream Distributions & Vendors + +If you maintain a downstream distribution or integration of Kata Containers: + +- **Embargo process**: Please be aware that security vulnerabilities are fixed in private as part of an embargo period. During this period only the Kata Containers Vulnerability Management Team (VMT) and very limited number of trusted contributors have access to the vulnerability report and participate in fixing the issue. +- **Early notification**: The Kata Containers VMT sends embargo notifications to the private embargo-notice mailing list a few days in advance of public announcements, to allow downstream stakeholders time to test the fix and prepare to move to the new release that contains the public fix. + +--- + +## Security Advisories & Release Notes + +- Where applicable, each release includes a **Security** section in its GitHub _Release Notes_ which contains the list of CVEs we have addressed in that release: + +- We do **not** publish separate “stable-branch” advisories because unsupported branches receive no fixes. + +- To see the list of published security advisories please visit the [security tab](https://github.com/kata-containers/kata-containers/security) in the kata-containers repository. + +--- + +## Frequently Asked Questions + +#### Q: I run `v3.24` – will you patch it? + +A: No. Upgrade to the latest monthly release. Only the current monthly release receives security fixes. + +#### Q: Where can I discuss a vulnerability once it is public? + +A: Open/continue a GitHub issue **after** the advisory is published, or use the `#general` channel in the [Kata Containers Slack workspace](https://join.slack.com/t/katacontainers/shared_invite/zt-16w1u6usn-sK871qbMxVN8KsCP5Gr56A) with a link to the official security advisory. + +--- + +_Last updated:_ 2026-06-12 diff --git a/SECURITY_CONTACTS b/SECURITY_CONTACTS new file mode 100644 index 0000000000..8f47473e48 --- /dev/null +++ b/SECURITY_CONTACTS @@ -0,0 +1,14 @@ +# Copyright (c) 2025, 2026 Kata Containers Authors +# +# SPDX-License-Identifier: Apache-2.0 +# +# Defined below are the security contacts for this repo. +# +# They are the contact point for the Product Security Committee to reach out +# to for triaging and handling of incoming issues. +# +# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE +# INSTRUCTIONS IN THE SECURITY.md FILE + +# For vulnerability reports: +# - Use GitHub's security advisory workflow (see SECURITY.md)