From f6f5db3e3c57429650b0d94ac12778a0b8fa765a Mon Sep 17 00:00:00 2001 From: zwzhang Date: Tue, 16 Apr 2024 14:23:38 +0800 Subject: [PATCH] chores: add security docs (#2007) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 佑祎 --- README-zh_CN.md | 3 +++ README.md | 3 +++ SECURITY.md | 22 ++++++++++++++++++++++ embargo-policy.md | 30 ++++++++++++++++++++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 SECURITY.md create mode 100644 embargo-policy.md diff --git a/README-zh_CN.md b/README-zh_CN.md index 574cadb0e..ac0edcda7 100644 --- a/README-zh_CN.md +++ b/README-zh_CN.md @@ -78,3 +78,6 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date) --> + +## 安全 +对于发现的安全漏洞,请邮件发送至kubernetes-security@service.aliyun.com,您可在[SECURITY.md](./SECURITY.md)文件中找到更多信息。 \ No newline at end of file diff --git a/README.md b/README.md index 6dd785ed9..616a6cd57 100644 --- a/README.md +++ b/README.md @@ -78,3 +78,6 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date) --> + +## Security +Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our [SECURITY.md](./SECURITY.md) file for details. \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..d6f814d1c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +- [Security Policy](#security-policy) + - [Reporting security problems](#reporting-security-problems) + - [Vulnerability Management Plans](#vulnerability-management-plans) + - [Critical Updates And Security Notices](#critical-updates-and-security-notices) + +## Reporting security problems + +**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please +send an email to kubernetes-security@service.aliyun.com + +Please follow the [embargo policy](./embargo-policy.md) for all security-related problems. + +## Vulnerability Management Plans + +### Critical Updates And Security Notices + +We learn about critical software updates and security threats from these sources + +1. GitHub Security Alerts +2. [Dependabot](https://dependabot.com/) Dependency Updates diff --git a/embargo-policy.md b/embargo-policy.md new file mode 100644 index 000000000..04c479c8f --- /dev/null +++ b/embargo-policy.md @@ -0,0 +1,30 @@ +# Embargo Policy + +This policy forbids members of this project's security contacts any others +defined below from sharing information outside of the security contacts and this +listing without need-to-know and advance notice. + +The information members and others receive from the list defined below must: + +* not be made public, +* not be shared, +* not be hinted at +* must be kept confidential and close held + +Except with the list's explicit approval. This holds true until the public +disclosure date/time that was agreed upon by the list. + +If information is inadvertently shared beyond what is allowed by this policy, +you are REQUIRED to inform the security contacts kubernetes-security@service.aliyun.com of exactly what +information leaked and to whom. A retrospective will take place after the leak +so we can assess how to not make this mistake in the future. + +Violation of this policy will result in the immediate removal and subsequent +replacement of you from this list or the Security Contacts. + +## Disclosure Timeline + +This project sustains a **disclosure timeline** to ensure we provide a +quality, tested release. On some occasions, we may need to extend this timeline +due to complexity of the problem, lack of expertise available, or other reasons. +Submitters will be notified if an extension occurs.