The KubeOrch project treats security vulnerabilities seriously, so we strive to take action quickly when required.

The project requests that security issues be disclosed in a responsible manner to allow adequate time to respond. If a security issue or vulnerability has been found, please disclose the details using one of the following methods:

Open a private security advisory using GitHub's vulnerability report mechanism in the appropriate KubeOrch repository.

If you cannot use GitHub's private reporting, please create a confidential issue in our community repository with the label "security" and mark it as confidential.

Please include as much information as possible with the report. The following details assist with analysis efforts:

• Description of the vulnerability
• Affected component (version, commit, branch etc)
• Affected code (file path, line numbers)
• Exploit code or proof of concept
• Potential impact assessment
• Suggested mitigation or fix (if known)

Any confidential information disclosed to the security team will be handled appropriately to prevent misuse or accidental disclosure.

Security notices will be published to:

• The KubeOrch Community Discussions under the Security category
• Security Advisories page of the affected repository
• Project documentation and release notes

The security team currently consists of the Maintainers of KubeOrch. As the project grows, we will expand the security team to include security experts from the community and contributing organizations.

• Acknowledgment: We aim to acknowledge receipt of vulnerability reports within 48 hours
• Initial Assessment: We will provide an initial assessment within 5 business days
• Resolution: We strive to resolve critical vulnerabilities within 30 days, depending on complexity

KubeOrch follows a coordinated disclosure policy:

1. Security vulnerabilities are handled privately until a fix is available
2. We work with reporters to understand and reproduce issues
3. Fixes are developed and tested before public disclosure
4. Public disclosure includes credit to reporters (unless they prefer to remain anonymous)
5. We aim to disclose vulnerabilities within 90 days of initial report

KubeOrch is designed with security in mind:

• Self-deployable architecture reduces attack surface
• IAM roles integration for secure cloud access
• Automated security policy generation for Kubernetes deployments
• Regular dependency updates and vulnerability scanning
• Secure coding practices and code review requirements

For any questions about this security policy or the security posture of KubeOrch, please open a discussion in the KubeOrch Community.