We're always looking for ways to improve our security posture and taking security vulnerabilities seriously.
To report a vulnerability, send an email to the official k8gb maintainers list cncf-k8gb-maintainers@lists.cncf.io.
Please make sure to provide the following information:
- vulnerability description
- version of the k8gb package
- version of the k8s cluster
- steps to reproduce the vulnerability
The standard response time from k8gb project maintainers for a vulnerability report is less than 14 days.
Once k8gb project maintainers have confirmed the relevance of the report, a draft security advisory will be created on Github. Please provide Github username to k8gb project maintainers if you wish to be invited to participate in advisory discussions. You can also request to be updated about advisory discussions directly via email.
If the vulnerability is accepted, you'll be informed about the determined timeline for developing a patch, public disclosure, and patch release. You are expected to participate in the discussion of the timeline and respect the agreed dates for public disclosure.