Skip to content

Security: open-gitops/documents

Security

SECURITY.md

OpenGitOps Security

OpenGitOps logo icon color Lock With Key Unicode 1F510. OpenMoji CC BY-SA 4.0

This document defines security reporting, handling, and disclosure information for the OpenGitOps project and community.

Reporting

We're very thankful for – and if desired happy to credit – security researchers and users who report vulnerabilities to the OpenGitOps community.

To report a security issue directlly related to the OpenGitOps project:

  • Please email the private maintainers list cncf-opengitops-maintainers@lists.cncf.io with the details.
  • You may, but are not required to, encrypt your email to this list using the PGP keys of OpenGitOps maintainers, listed below.
  • You may choose if you want public acknowledgement of your effort and how you would like to be credited.

⚠️ If a vulnerability is for a specific project, tool or service in the wider GitOps ecosystem, please report directly to the security team for that specific project. If you are unsure how to contact the security team for a specific project, you may send us a request for that info and we will do our best to help direct you. Please do not report vulnerabily details for other projects to the OpenGitOps maintainers.

Maintainer PGP Keys

Name GitHub Key URL Fingerprint
Scott Rigby @scottrigby https://keybase.io/r6by/pgp_keys.asc 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155
Dan Garfield @todaywasawesome https://keybase.io/dangarfield/pgp_keys.asc EDD6 6C22 E665 61FE
Leonardo Murillo @murillodigital https://keybase.io/murillodigital/pgp_keys.asc 8A45 0318 A616 94BD

Handling

  • All reports will be thoroughly investigated by the OpenGitOps maintainers.
  • Any vulnerability information shared with the OpenGitOps maintainers will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.
  • As the security issue moves through the identification and resolution process, the reporter will be notified.
  • Additional questions about the vulnerability may also be asked of the reporter.

Disclosures

Vulnerability disclosures will be listed as GitHub Security Advisories on the appropriate OpenGitOps repository and announced publicly. Disclosures will contain an overview, details about the vulnerability, a fix that will typically be an update, and optionally a workaround if one is available.

We prefer to fully disclose a vulnerability as soon as possible once a user mitigation is available. Disclosures will be published on the same day as a release fixing the vulnerability, after the release is published.

There aren’t any published security advisories