CRI-O is used in production across many industries that rely on a stable and secure container runtime for critical infrastructure. Security is taken seriously and has high priority across all related projects to ensure users can trust CRI-O for their systems. This means that not only vulnerabilities for this project, but also for depending ones can be reported through our process, for example if a vulnerability affects conmon or conmon-rs.
We're extremely grateful for security researchers and users that report vulnerabilities to the CRI-O community. All reports are thoroughly investigated by a set of community volunteers.
To make a report, email the vulnerability to the private cncf-crio-security@lists.cncf.io list with the security details and the details expected for all CRI-O bug reports.
You can expect an initial response to the report within 3 business days. Possible fixes for vulnerabilities will be then discussed via the mail thread and can be considered as automatically embargoed until they got merged into all related branches. A project approver or reviewer (as defined in the OWNERS file) will coordinate how the pull requests and patches are being incorporated into the repository without breaking the embargo.
- You think you discovered a potential security vulnerability in CRI-O
- You are unsure how a vulnerability affects CRI-O
- You think you discovered a vulnerability in another project that CRI-O depends on (for projects with their own vulnerability reporting and disclosure process, please report it directly there)
- You need help tuning CRI-O components for security
- You need help applying security related updates
- Your issue is not security related