Currently supported versions:
Version | Supported |
---|---|
>= 2.4.0 | ✅ |
< 2.4.0 | ❌ |
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a reported vulnerability, what to expect if the vulnerability is accepted or declined, etc.
Security vulnerabilities should be emailed to all members of the MAINTAINERS file to coordinate the disclosure of the vulnerability.
When a maintainer is notified of a security vulnerability, they must create a GitHub security advisory per the instructions at:
Maintainers should use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's in the past and may be used, but preference is on GitHub as the issuing CNA.
Once ready, maintainers should publish the security vulnerability as outlined in:
As well as ensuring the publishing of the CVE, maintainers shall have new release versions ready to publish at the same time as the CVE. Maintainers should should strive to adhere to a sub 60 say turn around from report to release.