If you've found a vulnerability in our components or website or want additional information regarding how we manage security, please report it via a GitHub discussion.

If you do not want to publicly report a security issue for one of the libraries owned by the Microcks community, write an email with a detailed description of the issue to security@microcks.io.

We prefer to fully disclose the bug as soon as possible once a user mitigation is available. The Fix Lead drives the schedule using their best judgment based on severity, development time, and release manager feedback. If the Fix Lead deals with public disclosure, all timelines will be set as soon as possible (ASAP).

Microcks releases follow the semver specification. Security fixes are typically merged into the current development branch and are due for release in the next minor version. We may create a fix release upon request or, if deemed necessary, as part of a critical security fix.

The security team is made up of a subset of the project maintainers and code owners who are willing and able to respond to vulnerability reports.

Sections of this document have been borrowed and inspired from the OpenEBS project.