github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-26 19:48:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #133 from grahamwhaley/20200129_reporting_vulnerabilities

Browse Source 
docs: vulnerabilities: document how to report vulnerabilities
This commit is contained in:
Archana Shinde 2020-03-18 10:27:43 -07:00 committed by GitHub
commit fea408d048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
README.md
View File

@ -13,7 +13,9 @@
* [Maintainer](#maintainer) * [Maintainer](#maintainer)
* [Architecture Committee](#architecture-committee) * [Architecture Committee](#architecture-committee)
* [Vendoring code](#vendoring-code) * [Vendoring code](#vendoring-code)
* [Vulnerability Disclosure](#vulnerability-disclosure) * [Vulnerability Handling](#vulnerability-handling)
* [Reporting Vulnerabilities](#reporting-vulnerabilities)
* [Vulnerability Disclosure Process](#vulnerability-disclosure-process)
* [Week in Review template](#week-in-review-template) * [Week in Review template](#week-in-review-template)
# About Kata Containers # About Kata Containers
@ -100,7 +102,32 @@ See [the elections documentation](elections) for further details.
See the [vendoring documentation](VENDORING.md). See the [vendoring documentation](VENDORING.md).
# Vulnerability Disclosure # Vulnerability Handling
Vulnerabilities in Kata are handled by the
[Vulnerability Management Team (VMT)](VMT/VMT.md).
There are generally two phases:
- The reporting of a vulnerability to the VMT
- Handling and disclosure of the vulnerability by the VMT
## Reporting Vulnerabilities
Vulnerabilities in Kata should be reported using the
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) model.
There are two methods available to report vulnerabilities to the Kata community:
1) Report via a private issue on the [Kata Containers launchpad](https://launchpad.net/katacontainers.io)
1) Email any member of the [Kata Containers architecture committee](#architecture-committee) directly
When reporting a vulnerability via the launchpad:
- You will need to create a launchpad login account.
- Preferably, but at your discretion, create the report as "Private Security", so the VMT can assess and
respond in a responsible manner. Only the VMT members will be able to view a "Private Security" tagged
issue initially, until it is deemed OK to make it publicly visible.
## Vulnerability Disclosure Process
Vulnerabilities in the Kata Container project are managed by the Kata Containers Vulnerabilities in the Kata Container project are managed by the Kata Containers
Vulnerability Management Team (VMT). Vulnerabilities are managed using a Vulnerability Management Team (VMT). Vulnerabilities are managed using a