Added "Report a Security Incident" topic

[n-boshnakov]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:
This PR adds documentation about reporting a security incident:

• Adds a "Reporting a Security Incident" topic, with content adapted from https://github.com/gardener/.github/blob/main/SECURITY.md
• Adds an "How can you report a security incident?" FAQ entry

Which issue(s) this PR fixes:
Part of #923

Special notes for your reviewer:

Summary by CodeRabbit

• Documentation
  • Added a FAQ entry directing users to the security reporting guide.
  • Added a "Reporting a Security Incident" guide covering pre-report checks, avoiding public disclosure, and two private submission routes (private GitHub vulnerability report or security mailing list). Also explains how to proceed when a vulnerability is already publicly known.

[gardener-prow]

@n-boshnakov: The label(s) kind/documentation cannot be applied, because the repository doesn't have them.

Details

In response to this:

How to categorize this PR?

/kind documentation

What this PR does / why we need it:
This PR adds documentation about reporting a security incident:

• Adds a "Reporting a Security Incident" topic, with content adapted from https://github.com/gardener/.github/blob/main/SECURITY.md
• Adds an "How can you report a security incident?" FAQ entry

Which issue(s) this PR fixes:
Part of #923

Special notes for your reviewer:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[netlify]

✅ Deploy Preview for gardener-docs ready!

Name	Link
🔨 Latest commit	a3106ad
🔍 Latest deploy log	https://app.netlify.com/projects/gardener-docs/deploys/69df76afe5ef6a0008ccd857
😎 Deploy Preview	https://deploy-preview-932--gardener-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 69 (🔴 down 4 from production) Accessibility: 97 (no change from production) Best Practices: 92 (no change from production) SEO: 98 (no change from production) PWA: 90 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 254fbe60-a70a-4cad-a8c4-9df860b161d1

📥 Commits

Reviewing files that changed from the base of the PR and between dfbb40a and a3106ad.

📒 Files selected for processing (1)

• website/documentation/security-and-compliance/security-incident.md

✅ Files skipped from review due to trivial changes (1)

• website/documentation/security-and-compliance/security-incident.md

---

📝 Walkthrough

Walkthrough

Adds two documentation pages: an FAQ linking to incident reporting guidance, and a "Reporting a Security Incident" guide that outlines pre-report checks, private submission routes (GitHub private report or security mailing list), and steps for already-public vulnerabilities.

Changes

Cohort / File(s)	Summary
FAQ + Link website/documentation/faq/reporting-security-incident.md	New FAQ page that points readers to the detailed security incident reporting guide.
Security Incident Guide website/documentation/security-and-compliance/security-incident.md	New guide defining prerequisites before reporting, instructions to avoid public disclosure, private submission channels (GitHub private vulnerability report or gardener-security@lists.neonephos.org), and guidance for handling already-public vulnerabilities.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I found a note beneath the clover, hush and neat,
A quiet path to send the bug discreet.
I nudge the mail, I tap the private gate—
Patches bloom softly when we coordinate. 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding documentation about reporting security incidents.
Description check	✅ Passed	The description covers all required template sections including PR categorization (/kind enhancement), what the PR does, related issue reference, and review notes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

website/documentation/faq/reporting-security-incident.md (1)

5-5: Prefer a more direct sentence opening.

Line 5 can be tightened for readability by removing “In order to”.

Suggested wording

-In order to report a security incident for Gardener, please follow the steps outlined in [Reporting a Security Incident](../security-and-compliance/security-incident.md).
+To report a security incident for Gardener, follow the steps in [Reporting a Security Incident](../security-and-compliance/security-incident.md).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/faq/reporting-security-incident.md` at line 5, Replace
the wordy sentence "In order to report a security incident for Gardener, please
follow the steps outlined in [Reporting a Security
Incident](../security-and-compliance/security-incident.md)." with a more direct
opening such as "To report a security incident for Gardener, follow the steps in
[Reporting a Security
Incident](../security-and-compliance/security-incident.md)." Update that exact
sentence in reporting-security-incident.md to remove "In order to" and tighten
phrasing while keeping the link target unchanged.

website/documentation/security-and-compliance/security-incident.md (1)

9-9: Use stronger wording for unsupported versions.

“old version” can be tightened to “outdated version” for clarity.

Suggested wording

-Only supported versions receive patches. If using an old version, verify the issue exists in the latest release before reporting.
+Only supported versions receive patches. If using an outdated version, verify the issue exists in the latest release before reporting.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/security-and-compliance/security-incident.md` at line
9, Replace the phrase "old version" in the sentence "Only supported versions
receive patches. If using an old version, verify the issue exists in the latest
release before reporting." with "outdated version" to improve clarity; update
the sentence to read "Only supported versions receive patches. If using an
outdated version, verify the issue exists in the latest release before
reporting." and ensure surrounding punctuation and capitalization remain
consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/documentation/security-and-compliance/security-incident.md`:
- Around line 115-123: The CVSS version references are inconsistent: update the
section header or label "Estimated CVSS v3.0 Score" to "Estimated CVSS v3.1
Score" so it matches the example vector "CVSS:3.1/..." and also update the help
link to the CVSS 3.1 calculator URL (replace the 3.0 link). Ensure the heading
"7. CVSS Score (optional)" remains and only the version text and help link are
changed so both references consistently use CVSS 3.1.
- Line 41: The fenced code block lacks a language identifier (triggering MD040);
update the opening fence for the YAML-like security email block to include a
language tag (e.g., ```text) so the block becomes fenced with ```text and ensure
the closing fence remains ```; locate the fenced block around the Subject:
[SECURITY] Vulnerability Report text and add the language identifier to the
opening fence only.
- Around line 194-200: Add blank lines before and after the Markdown tables to
satisfy MD058: insert a blank line between the preceding heading "### Security
Team" (and the prior heading above the first table) and the table starting with
"| Name | GitHub |", and ensure a blank line follows the table rows (e.g., the
row with "Eva Kuhnle-Heck | [`@HeckEK`](https://github.com/HeckEK)") so both
tables are surrounded by empty lines.

---

Nitpick comments:
In `@website/documentation/faq/reporting-security-incident.md`:
- Line 5: Replace the wordy sentence "In order to report a security incident for
Gardener, please follow the steps outlined in [Reporting a Security
Incident](../security-and-compliance/security-incident.md)." with a more direct
opening such as "To report a security incident for Gardener, follow the steps in
[Reporting a Security
Incident](../security-and-compliance/security-incident.md)." Update that exact
sentence in reporting-security-incident.md to remove "In order to" and tighten
phrasing while keeping the link target unchanged.

In `@website/documentation/security-and-compliance/security-incident.md`:
- Line 9: Replace the phrase "old version" in the sentence "Only supported
versions receive patches. If using an old version, verify the issue exists in
the latest release before reporting." with "outdated version" to improve
clarity; update the sentence to read "Only supported versions receive patches.
If using an outdated version, verify the issue exists in the latest release
before reporting." and ensure surrounding punctuation and capitalization remain
consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a052fd2e-6e71-4418-abfe-be4660fe7393

📥 Commits

Reviewing files that changed from the base of the PR and between f8cfbab and b735447.

📒 Files selected for processing (2)

• website/documentation/faq/reporting-security-incident.md
• website/documentation/security-and-compliance/security-incident.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

website/documentation/security-and-compliance/security-incident.md (2)

41-41: ⚠️ Potential issue | 🟡 Minor

Add a language tag to the fenced template block.

Line 41 still opens a fenced block without a language identifier, which can fail markdownlint (MD040).

Proposed fix

-```
+```text
 ---
 Subject: [SECURITY] Vulnerability Report
 ---

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/security-and-compliance/security-incident.md` at line
41, The fenced code block that starts the security template (the template block
opened at line 41) lacks a language tag causing markdownlint MD040; update the
opening fence to include a language identifier (e.g., change the opening ``` to
```text) so the block reads with a language tag and passes linting while
preserving the existing template content.

---

117-123: ⚠️ Potential issue | 🟡 Minor

Keep CVSS references on one version (3.1).

Line 117 and Line 123 use 3.0, while Line 121 uses a 3.1 vector. Please align these to avoid conflicting guidance.

Proposed fix

-**Estimated CVSS v3.0 Score:**
+**Estimated CVSS v3.1 Score:**
@@
-[Get help: https://www.first.org/cvss/calculator/3.0]
+[Get help: https://www.first.org/cvss/calculator/3.1]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/documentation/security-and-compliance/security-incident.md` around
lines 117 - 123, Update the CVSS references to consistently use version 3.1:
change the heading "Estimated CVSS v3.0 Score:" to "Estimated CVSS v3.1 Score:",
update the example vector/comment to use CVSS:3.1 (it already uses 3.1 but
ensure formatting matches), and update the help link text/URL from the 3.0
calculator to the 3.1 calculator (replace
"https://www.first.org/cvss/calculator/3.0" with the 3.1 calculator URL). Ensure
the strings "Estimated CVSS v3.0 Score:", the vector example "CVSS:3.1/...", and
the help link are all aligned to version 3.1.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@website/documentation/security-and-compliance/security-incident.md`:
- Line 160: The in-page anchor target "#who-handles-your-report" referenced in
the sentence "The Security Team reproduces the issue and assesses severity. The
[Security Officer](`#who-handles-your-report`) finalizes the CVSS score." is
broken; either add a matching heading with the id/text "Who handles your report"
(so the fragment resolves) or update the link to point to the existing heading
that describes who handles reports (replace "#who-handles-your-report" with the
correct fragment for that existing heading). Ensure the heading text/HTML id
exactly matches the fragment you choose.

---

Duplicate comments:
In `@website/documentation/security-and-compliance/security-incident.md`:
- Line 41: The fenced code block that starts the security template (the template
block opened at line 41) lacks a language tag causing markdownlint MD040; update
the opening fence to include a language identifier (e.g., change the opening ```
to ```text) so the block reads with a language tag and passes linting while
preserving the existing template content.
- Around line 117-123: Update the CVSS references to consistently use version
3.1: change the heading "Estimated CVSS v3.0 Score:" to "Estimated CVSS v3.1
Score:", update the example vector/comment to use CVSS:3.1 (it already uses 3.1
but ensure formatting matches), and update the help link text/URL from the 3.0
calculator to the 3.1 calculator (replace
"https://www.first.org/cvss/calculator/3.0" with the 3.1 calculator URL). Ensure
the strings "Estimated CVSS v3.0 Score:", the vector example "CVSS:3.1/...", and
the help link are all aligned to version 3.1.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 23cea7a3-5f26-4ac2-b144-540817f8c8f8

📥 Commits

Reviewing files that changed from the base of the PR and between b735447 and eca1817.

📒 Files selected for processing (1)

• website/documentation/security-and-compliance/security-incident.md

[HeckEK]

/lgtm

[gardener-prow]

@HeckEK: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[donistz]

/lgtm

[gardener-prow]

@donistz: adding LGTM is restricted to approvers and reviewers in OWNERS files.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[klocke-io]

/lgtm

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: donistz, klocke-io

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [klocke-io]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: 1d3b3185192c46e084c463e23fd87e28a932e7c7