Merge pull request #438 from LiZhenCheng9527/add-securityTeam

add security team
kurator-dev · Nov 9, 2023 · c69f98e · c69f98e
2 parents cd95b6b + d02032c
commit c69f98e
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -53,3 +53,7 @@ details on submitting patches and the contribution workflow.
 ## License
 
 Kurator is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.
+
+## report a vulnerability
+
+If you find a vulnerability in Kurator, you can report it to our security-team in the [following way](https://github.com/kurator-dev/kurator/security-team/report-a-vulnerability.md). We will deal with it as soon as possible.
diff --git a/community/security/report-a-vulnerability.md b/community/security/report-a-vulnerability.md
@@ -0,0 +1,20 @@
+## Report a Vulnerability
+
+We sincerely request you to keep the vulnerability information confidential and responsibly disclose the vulnerabilities.
+
+To report a vulnerability, please contact the Security Team: [kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com). You can email the Security Team with the security details and the details expected for [kurator vulnerability report](vulnerability-report-template.md).
+
+The team will help diagnose the severity of the issue and determine how to address the issue. The reporter(s) can expect a response within 2 business day acknowledging the issue was received. If a response is not received within 2 business day, please reach out to any Security Team member (listed [here](security-groups.md), under the `The Security Team` section) directly to confirm receipt of the issue. We’ll try to keep you informed about our progress throughout the process.
+
+### When Should I Report a Vulnerability?
+
+- You think you discovered a potential security vulnerability in Kurator
+- You are unsure how a vulnerability affects Kurator
+
+### When Should I NOT Report a Vulnerability?
+
+- You need help tuning Kurator components for security
+- You need help applying security related updates
+- Your issue is not security related
+
+If you think you discovered a vulnerability in another project that Kurator depends on, and that project has their own vulnerability reporting and disclosure process, please report it directly there.
diff --git a/community/security/security-groups.md b/community/security/security-groups.md
@@ -0,0 +1,17 @@
+## The Security Team
+
+Email:
+
+[kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com)
+
+Owners:
+
+- [kevin-wangzefeng](https://github.com/kevin-wangzefeng)
+- [hzxuzhonghu](https://github.com/hzxuzhonghu)
+
+Members:
+
+- [hzxuzhonghu](https://github.com/hzxuzhonghu)
+- [zirain](https://github.com/zirain)
+- [Xieql](https://github.com/Xieql)
+- [LiZhenCheng9527](https://github.com/LiZhenCheng9527)
diff --git a/community/security/vulnerability-report-template.md b/community/security/vulnerability-report-template.md
@@ -0,0 +1,17 @@
+<!-- Please use this template while reporting a Kurator vulnerability and provide as much info as possible. Not doing so may result in your culnerability not being addressed in a timely manner. Thanks!
+-->
+
+**What happened**:
+
+**What you expected to happen**:
+
+**How to reproduce it (as minimally and precisely as possible)**:
+
+**Anything else we need to know?**:
+
+**Environment**:
+
+- Kurator version:
+- kubectl version:
+- fluxcd version:
+- Others: