-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
23 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Security Policy | ||
|
||
We take security vulnerabilities seriously (and so should you!) | ||
|
||
Our policy on reported vulnerabilities (see below on how to report) is that we will | ||
respond to the reporter of a vulnerability within two (2) business days of receiving | ||
the report and notify the reporter whether and when a remediation will be committed. | ||
|
||
When a remediation for a security vulnerability is committed, we will cut a tagged | ||
release of `gdt` and include in the release notes for that tagged release a description | ||
of the vulnerability and a discussion of how it was remediated, along with a note | ||
urging users to update to that fixed version. | ||
|
||
## Reporting a Vulnerability | ||
|
||
While `gdt` does have automated Github Dependabot alerts about security vulnerabilities | ||
in `gdt`'s dependencies, there is always a chance that a vulnerability in a dependency | ||
goes undetected by Dependabot. If you are aware of a vulnerability either in `gdt` or | ||
one of its dependencies, please do not hesitate to reach out to `gdt` maintainers via | ||
email or Slack. **Do not discuss vulnerabilities in a public forum**. | ||
|
||
`gdt`'s primary maintainer is Jay Pipes, who can be found on the Kubernetes Slack | ||
community as `@jaypipes` and reached via email at jaypipes at gmail dot com. |