diff --git a/README.md b/README.md index ca7312251..9511e9f03 100644 --- a/README.md +++ b/README.md @@ -53,3 +53,7 @@ details on submitting patches and the contribution workflow. ## License Kurator is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details. + +## report a vulnerability + +If you find a vulnerability in Kurator, you can report it to our security-team in the [following way](https://github.com/kurator-dev/kurator/security-team/report-a-vulnerability.md). We will deal with it as soon as possible. diff --git a/community/security/report-a-vulnerability.md b/community/security/report-a-vulnerability.md new file mode 100644 index 000000000..c0c2b452f --- /dev/null +++ b/community/security/report-a-vulnerability.md @@ -0,0 +1,20 @@ +## Report a Vulnerability + +We sincerely request you to keep the vulnerability information confidential and responsibly disclose the vulnerabilities. + +To report a vulnerability, please contact the Security Team: [kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com). You can email the Security Team with the security details and the details expected for [kurator vulnerability report](vulnerability-report-template.md). + +The team will help diagnose the severity of the issue and determine how to address the issue. The reporter(s) can expect a response within 2 business day acknowledging the issue was received. If a response is not received within 2 business day, please reach out to any Security Team member (listed [here](security-groups.md), under the `The Security Team` section) directly to confirm receipt of the issue. We’ll try to keep you informed about our progress throughout the process. + +### When Should I Report a Vulnerability? + +- You think you discovered a potential security vulnerability in Kurator +- You are unsure how a vulnerability affects Kurator + +### When Should I NOT Report a Vulnerability? + +- You need help tuning Kurator components for security +- You need help applying security related updates +- Your issue is not security related + +If you think you discovered a vulnerability in another project that Kurator depends on, and that project has their own vulnerability reporting and disclosure process, please report it directly there. diff --git a/community/security/security-groups.md b/community/security/security-groups.md new file mode 100644 index 000000000..a8b11c825 --- /dev/null +++ b/community/security/security-groups.md @@ -0,0 +1,17 @@ +## The Security Team + +Email: + +[kurator-security@googlegroups.com](mailto:kurator-security@googlegroups.com) + +Owners: + +- [kevin-wangzefeng](https://github.com/kevin-wangzefeng) +- [hzxuzhonghu](https://github.com/hzxuzhonghu) + +Members: + +- [hzxuzhonghu](https://github.com/hzxuzhonghu) +- [zirain](https://github.com/zirain) +- [Xieql](https://github.com/Xieql) +- [LiZhenCheng9527](https://github.com/LiZhenCheng9527) \ No newline at end of file diff --git a/community/security/vulnerability-report-template.md b/community/security/vulnerability-report-template.md new file mode 100644 index 000000000..95f99cf78 --- /dev/null +++ b/community/security/vulnerability-report-template.md @@ -0,0 +1,17 @@ + + +**What happened**: + +**What you expected to happen**: + +**How to reproduce it (as minimally and precisely as possible)**: + +**Anything else we need to know?**: + +**Environment**: + +- Kurator version: +- kubectl version: +- fluxcd version: +- Others: