This document defines security reporting, handling, and disclosure information for the OpenGitOps project and community.
We're very thankful for – and if desired happy to credit – security researchers and users who report vulnerabilities to the OpenGitOps community.
To report a security issue directlly related to the OpenGitOps project:
- Please email the private maintainers list cncf-opengitops-maintainers@lists.cncf.io with the details.
- You may, but are not required to, encrypt your email to this list using the PGP keys of OpenGitOps maintainers, listed below.
- You may choose if you want public acknowledgement of your effort and how you would like to be credited.
| Name | GitHub | Key URL | Fingerprint |
|---|---|---|---|
| Scott Rigby | @scottrigby | https://keybase.io/r6by/pgp_keys.asc | 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 |
| Dan Garfield | @todaywasawesome | https://keybase.io/dangarfield/pgp_keys.asc | EDD6 6C22 E665 61FE |
| Leonardo Murillo | @murillodigital | https://keybase.io/murillodigital/pgp_keys.asc | 8A45 0318 A616 94BD |
- All reports will be thoroughly investigated by the OpenGitOps maintainers.
- Any vulnerability information shared with the OpenGitOps maintainers will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.
- As the security issue moves through the identification and resolution process, the reporter will be notified.
- Additional questions about the vulnerability may also be asked of the reporter.
Vulnerability disclosures will be listed as GitHub Security Advisories on the appropriate OpenGitOps repository and announced publicly. Disclosures will contain an overview, details about the vulnerability, a fix that will typically be an update, and optionally a workaround if one is available.
We prefer to fully disclose a vulnerability as soon as possible once a user mitigation is available. Disclosures will be published on the same day as a release fixing the vulnerability, after the release is published.