github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-26 19:48:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #133 from grahamwhaley/20200129_reporting_vulnerabilities

Browse Source 
docs: vulnerabilities: document how to report vulnerabilities
This commit is contained in:
Archana Shinde 2020-03-18 10:27:43 -07:00 committed by GitHub
commit fea408d048
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
README.md
View File

@ -13,7 +13,9 @@
* [Maintainer](#maintainer)
* [Architecture Committee](#architecture-committee)
* [Vendoring code](#vendoring-code)
* [Vulnerability Disclosure](#vulnerability-disclosure)
* [Vulnerability Handling](#vulnerability-handling)
* [Reporting Vulnerabilities](#reporting-vulnerabilities)
* [Vulnerability Disclosure Process](#vulnerability-disclosure-process)
* [Week in Review template](#week-in-review-template)
# About Kata Containers
@ -100,7 +102,32 @@ See [the elections documentation](elections) for further details.
See the [vendoring documentation](VENDORING.md).
# Vulnerability Disclosure
# Vulnerability Handling
Vulnerabilities in Kata are handled by the
[Vulnerability Management Team (VMT)](VMT/VMT.md).
There are generally two phases:
- The reporting of a vulnerability to the VMT
- Handling and disclosure of the vulnerability by the VMT
## Reporting Vulnerabilities
Vulnerabilities in Kata should be reported using the
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) model.
There are two methods available to report vulnerabilities to the Kata community:
1) Report via a private issue on the [Kata Containers launchpad](https://launchpad.net/katacontainers.io)
1) Email any member of the [Kata Containers architecture committee](#architecture-committee) directly
When reporting a vulnerability via the launchpad:
- You will need to create a launchpad login account.
- Preferably, but at your discretion, create the report as "Private Security", so the VMT can assess and
respond in a responsible manner. Only the VMT members will be able to view a "Private Security" tagged
issue initially, until it is deemed OK to make it publicly visible.
## Vulnerability Disclosure Process
Vulnerabilities in the Kata Container project are managed by the Kata Containers
Vulnerability Management Team (VMT). Vulnerabilities are managed using a