Security disclosure

The Kubewarden team appreciates investigative work on security vulnerabilities carried out by well-intentioned, ethical security researchers. Kubewarden follows the practice of responsible disclosure to best protect Kubewarden's user base from the impact of security issues. On Kubewarden's side, this means:

• Kubewarden responds to security incidents on priority.
• Kubewarden releases fixes for issues as soon as is practical, prioritizing by risk.
• Kubewarden always transparently lets the community know about any incident that affects them.

If you have found a security vulnerability in Kubewarden, the easiest way to report a vulnerability is through the Security tab on GitHub. This mechanism allows maintainers to communicate privately with you, and you don't need to encrypt your messages.

Alternatively, you can disclose it responsibly by emailing cncf-kubewarden-maintainers@lists.cncf.io in an unencrypted message. Please do not discuss potential vulnerabilities in public without validating with us first.

You can also come talk in our slack-room on the Kubernetes Slack server.

On receipt, the security team:

• Reviews the report, verifies the vulnerability and responds with confirmation and/or further information requests.
• After addressing the reported security bug, Kubewarden notifies the Researcher, who is then welcome to optionally disclose publicly.

Please, refer to the community repository to find more about the project Governance and Security Policy.