mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 22:50:54 +00:00
Explicit SECURITY.md that reflects Kata’s rolling-release model (monthly cadence, no long-term branches) and sets clear expectations for reporters and downstream users. With the SECURITY.md in place we need also the SECURITY_CONTACTS - Add alternative reporting method (email) for non-GitHub users - Add section for downstream distributions and vendors with early notification details - Clarify that timelines are independent objectives, not sequential steps - Reorder disclosure process to emphasize patch releases are exceptions - Update git tag command in version table (remove unnecessary pipe) - Expand FAQ with downstream distribution and non-GitHub reporter questions - Update timestamp to reflect current changes (2026-04-01) - Update SECURITY_CONTACTS with email contact and downstream notification info - Clarify CVE assignment process through GitHub Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk> Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com>
15 lines
490 B
Plaintext
15 lines
490 B
Plaintext
# Copyright (c) 2025, 2026 Kata Containers Authors
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# Defined below are the security contacts for this repo.
|
|
#
|
|
# They are the contact point for the Product Security Committee to reach out
|
|
# to for triaging and handling of incoming issues.
|
|
#
|
|
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
|
|
# INSTRUCTIONS IN THE SECURITY.md FILE
|
|
|
|
# For vulnerability reports:
|
|
# - Use GitHub's security advisory workflow (see SECURITY.md)
|