Skip to content

Security: kubestellar/console-kb

Security

SECURITY.md

Security Announcements

Join the kubestellar-security-announce group for emails about security and major announcements.

Report a Vulnerability

We're extremely grateful for security researchers and users that report vulnerabilities to the KubeStellar Open Source Community. All reports are thoroughly investigated by community volunteers.

To report a vulnerability privately, use one of the following channels:

  1. GitHub Security Advisories — open a private report at: https://github.com/kubestellar/console-kb/security/advisories/new

  2. Email — send details to the private security list: kubestellar-security-announce@googlegroups.com

Please do not open a public GitHub issue for suspected security vulnerabilities.

What to include

  • A description of the issue and its potential impact
  • Whether the problem affects a fix/runbook file, the CI pipeline, repository infrastructure, or the supply chain
  • Steps to reproduce or validate the issue
  • Any proof-of-concept, hashes, raw URLs, script output, or logs that help confirm impact
  • Suggested mitigations, if known

When to report

  • You believe a fix or runbook file in this repository contains malicious content or could cause harm when imported and executed
  • You found a vulnerability in a CI workflow or automation script that could affect other contributors or users
  • You discovered a supply-chain concern in the mission-generation pipeline that could result in compromised content being published

When NOT to report

  • You have a question about how to use a fix or runbook (use Slack instead)
  • The issue is in the KubeStellar Console itself rather than in community-contributed mission content (report in kubestellar/console)

Security Vulnerability Response

Each report is acknowledged and analyzed by the maintainers within 3 working days.

Vulnerability information shared with the security team stays within the KubeStellar project and will not be disclosed publicly until a fix is available and coordinated with the reporter.

Public Disclosure Timing

A public disclosure date is negotiated between the KubeStellar Security Response Committee and the reporter. We prefer to disclose as soon as a mitigation is available. For straightforward issues, expect 7 days from report to disclosure.

There aren't any published security advisories