Skip to content

Security: confidential-containers/guest-components

SECURITY.md

Security Policy

Reporting a Vulnerability

Please do not use public issues to report security vulnerabilities.

To report a vulnerability please select the security tab of the repo and click Report a vulnerability. This will create a private github issue that CoCo maintainers and security champions will be able to see.

The CoCo community aspires to follow the security best practices defined by OpenSSF, including responding to vulnerability reports within 14 days.

Supported Versions

Please note that the CoCo community analyzes security issues only in the the most recent release.

CoCo has not released any long term supported versions yet.

Patches will not be backported to earlier versions.

Patches will be released as point versions of the current version, e.g. releasing 0.8.1 to correct v0.8, or will be patched in the next release, e.g. v0.9.

Security Bulletins

CoCo announces security issues and their fixes in the release notes of the patching version. For example, a vulnerability discovered in v0.8 and fixed in v0.8.1 will be announced in the release notes for v0.8.1.

There aren’t any published security advisories