chores: add security docs (#77)

Signed-off-by: 佑祎 <zzw261520@alibaba-inc.com>
koordinator-sh · Apr 16, 2024 · 327ecbd · 327ecbd
1 parent 3635bf8
commit 327ecbd
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 4 deletions.
diff --git a/README-zh_CN.md b/README-zh_CN.md
@@ -78,4 +78,7 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L
 ## Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date)
--->
+-->
+
+## 安全
+对于发现的安全漏洞，请邮件发送至kubernetes-security@service.aliyun.com，您可在[SECURITY.md](./SECURITY.md)文件中找到更多信息。
diff --git a/README.md b/README.md
@@ -21,12 +21,12 @@ running beyond K8s such as Apache Haddop YARN. As a resource management platform
 numbers of computing engines including MapReduce, Spark, Flink, Presto, etc.
 
 In order to extend the co-location scenario of Koordinator, now the community has provided Hadoop YARN extended suits
-`Koordinator YARN Copilot` in BigData ecosystem, supporting running Hadoop YARN jobs by `koord-batch` resources with 
+`Koordinator YARN Copilot` in BigData ecosystem, supporting running Hadoop YARN jobs by `koord-batch` resources with
 other K8s pods. The `Koordinator YARN Copilot` has following characteristics:
 
 - Open-Source native: implement against open-sourced version of Hadoop YARN; so there is no hack inside YARN modules.
 - Unifed resource priority and QoS strategy: the suits aims to the `koord-batch` priority of Koordinator, and also managed by QoS strategies of koordlet.
-- Resource sharing on node level: node resources of `koord-batch` priority can be requested by tasks of YARN or `Batch` pods both. 
+- Resource sharing on node level: node resources of `koord-batch` priority can be requested by tasks of YARN or `Batch` pods both.
 - Adaptive for multiple environments: the suits can be run under any environment, including public cloud or IDC.
 
 ## Quick Start
@@ -81,4 +81,7 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L
 ## Star History
 
 [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date)
--->
+-->
+
+## Security
+Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our [SECURITY.md](./SECURITY.md) file for details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+- [Security Policy](#security-policy)
+  - [Reporting security problems](#reporting-security-problems)
+  - [Vulnerability Management Plans](#vulnerability-management-plans)
+    - [Critical Updates And Security Notices](#critical-updates-and-security-notices)
+
+## Reporting security problems
+
+**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please
+send an email to kubernetes-security@service.aliyun.com
+
+Please follow the [embargo policy](./embargo-policy.md) for all security-related problems.
+
+## Vulnerability Management Plans
+
+### Critical Updates And Security Notices
+
+We learn about critical software updates and security threats from these sources
+
+1. GitHub Security Alerts
+2. [Dependabot](https://dependabot.com/) Dependency Updates
diff --git a/embargo-policy.md b/embargo-policy.md
@@ -0,0 +1,30 @@
+# Embargo Policy
+
+This policy forbids members of this project's security contacts any others
+defined below from sharing information outside of the security contacts and this
+listing without need-to-know and advance notice.
+
+The information members and others receive from the list defined below must:
+
+* not be made public,
+* not be shared,
+* not be hinted at
+* must be kept confidential and close held
+
+Except with the list's explicit approval. This holds true until the public
+disclosure date/time that was agreed upon by the list.
+
+If information is inadvertently shared beyond what is allowed by this policy,
+you are REQUIRED to inform the security contacts kubernetes-security@service.aliyun.com of exactly what
+information leaked and to whom. A retrospective will take place after the leak
+so we can assess how to not make this mistake in the future.
+
+Violation of this policy will result in the immediate removal and subsequent
+replacement of you from this list or the Security Contacts.
+
+## Disclosure Timeline
+
+This project sustains a **disclosure timeline** to ensure we provide a
+quality, tested release. On some occasions, we may need to extend this timeline
+due to complexity of the problem, lack of expertise available, or other reasons.
+Submitters will be notified if an extension occurs.