Files
kata-containers/SECURITY_CONTACTS
stevenhorsman 4bbbcb813e doc: Create SECURITY.md
Explicit SECURITY.md that reflects Kata’s rolling-release model
(monthly cadence, no long-term branches) and sets clear expectations
for reporters and downstream users.
With the SECURITY.md in place we need also the SECURITY_CONTACTS

- Add alternative reporting method (email) for non-GitHub users
- Add section for downstream distributions and vendors with early notification details
- Clarify that timelines are independent objectives, not sequential steps
- Reorder disclosure process to emphasize patch releases are exceptions
- Update git tag command in version table (remove unnecessary pipe)
- Expand FAQ with downstream distribution and non-GitHub reporter questions
- Update timestamp to reflect current changes (2026-04-01)
- Update SECURITY_CONTACTS with email contact and downstream notification info
- Clarify CVE assignment process through GitHub

Signed-off-by: Anastassios Nanos <ananos@nubificus.co.uk>
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-06-18 14:23:52 +01:00

15 lines
490 B
Plaintext

# Copyright (c) 2025, 2026 Kata Containers Authors
#
# SPDX-License-Identifier: Apache-2.0
#
# Defined below are the security contacts for this repo.
#
# They are the contact point for the Product Security Committee to reach out
# to for triaging and handling of incoming issues.
#
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
# INSTRUCTIONS IN THE SECURITY.md FILE
# For vulnerability reports:
# - Use GitHub's security advisory workflow (see SECURITY.md)