Skip to content

Commit a0d3aa3

Browse files
committed
docs: Add Security Policy and section
- Add SECURITY.md with reporting and response process - Add Security section to profile/README.md linking to policy - Include CNCF Security Policy reference and reporting email Signed-off-by: mingcheng <mingcheng@apache.org>
1 parent ccc800b commit a0d3aa3

2 files changed

Lines changed: 32 additions & 1 deletion

File tree

SECURITY.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Security Policy
2+
3+
The KusionStack is a CNCF incubating project, and we follow the [CNCF Security Policy](https://contribute.cncf.io/projects/best-practices/security/). And we take the security of KusionStack very seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
4+
5+
## Reporting a Vulnerability
6+
7+
To report a vulnerability, please follow these steps:
8+
9+
1. Go to the **Security** tab in the relevant repository on GitHub.
10+
2. Click on the **Advisories** tab.
11+
3. Click on **Report a vulnerability**.
12+
13+
Alternatively, you can send an email to [antsrc@service.alipay.com](mailto:antsrc@service.alipay.com) with a description of the issue, the steps to reproduce it, and the potential impact.
14+
15+
You can expect a response within 24 hours to acknowledge that we've received your report. If you don't hear back in that time, please reach out to a committer directly to confirm we received your message.
16+
17+
## Security Response Process
18+
19+
Once a committer confirms the report is valid, they will create a draft security advisory on GitHub. We'll discuss the issue with the relevant maintainers and the reporter(s) in private.
20+
21+
If you'd like to participate in the discussion, please provide your GitHub username so we can invite you. Otherwise, you can ask to be kept updated via email.
22+
23+
If we accept the vulnerability, we'll work with you to determine a timeline for developing a patch, disclosing the issue publicly, and releasing the fix.
24+
25+
## Scope
26+
27+
We prioritize vulnerabilities that could compromise data confidentiality, allow privilege escalation, or affect data integrity. Availability issues such as Denial of Service (DoS) and resource exhaustion are also taken seriously.

profile/README.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ As world's most promising Kubernetes Explorer/Kubernetes Dashboard, our end goal
1414

1515
[Kusion](https://github.com/KusionStack/kusion) is an intent-driven [Platform Orchestrator](https://internaldeveloperplatform.org/platform-orchestrators/), which sits at the core of an [Internal Developer Platform](https://internaldeveloperplatform.org/what-is-an-internal-developer-platform/). With Kusion you can enhance self-service developer experience, by giving developers the ability to deploy applications with all dependencies to all environments, with a single application specification - [AppConfiguration](https://www.kusionstack.io/docs/next/concepts/app-configuration).
1616

17-
Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process.
17+
Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process.
1818

1919
## Kuperator
2020

@@ -33,3 +33,7 @@ We regularly post about technical practice and thinking we have solved and provi
3333
## KusionStack Community Code of Conduct
3434

3535
KusionStack follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
36+
37+
## Security
38+
39+
KusionStack takes security seriously. If you discover a security vulnerability in any of our projects, please refer to our [Security Policy](https://github.com/KusionStack/.github/blob/main/SECURITY.md) for reporting guidelines. We will respond to all reports as quickly as possible.

0 commit comments

Comments
 (0)