Kedro and its community take security bugs seriously. We appreciate efforts to improve the security of all Kedro products and follow the GitHub coordinated disclosure of security vulnerabilities for responsible disclosure and prompt mitigation. We are committed to working with security researchers to resolve the vulnerabilities they discover.
The latest versions of Kedro, Kedro-Viz, Kedro Starters and the Kedro plugins have continued support. Any critical vulnerability will be fixed and a release will be done for the affected project as soon as possible.
When finding a security vulnerability in Kedro, Kedro-Viz, Kedro Starters or any of the official Kedro plugins, perform the following actions:
- Open an issue on the Kedro repository. Ensure that you use
(security) Security Vulnerabilityas the title and do not mention any vulnerability details in the issue post. - Send a notification email to the Kedro Framework maintainers that contains, at a minimum:
- The link to the filed issue stub.
- Your GitHub handle.
- Detailed information about the security vulnerability, evidence that supports the relevance of the finding and any reproducibility instructions for independent confirmation.
This first stage of reporting is to ensure that a rapid validation can occur without wasting the time and effort of a reporter. Future communication and vulnerability resolution will be conducted after validating the veracity of the reported issue.
A Kedro maintainer will, after validating the report:
- Acknowledge the bug
- Mark the issue with a
Blocker📛priority - Open a draft GitHub Security Advisory to discuss the vulnerability details in private.
The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released.