Where to report security issues?

strimzi / strimzi-ui

Strimzi UI

Apache License 2.0

26 stars 27 forks source link

Where to report security issues? #151

Closed mogulano closed 3 years ago

mogulano commented 3 years ago

How could I report a security vulnerability? Any email to write to?

scholzj commented 3 years ago

I guess you can in general report them to cncf-strimzi-maintainers@lists.cncf.io mailing list. But keep in mind that the Strimzi UI has no releases and is not usable at this point. So IMHO at this point you can probably just report them as regular issues since they would anyway not be CVEs as far as I understood.

mogulano commented 3 years ago

The vulnerability allows getting read/write access to repository for any user. Are you sure it is the best course of actions to make the instructions public in a mail conference or attach to the repo as an issue? I have already sent the report to jordan.tucker1@ibm.com and pmuir@bleepbleep.org.uk without response.

scholzj commented 3 years ago

AFAIK the maintainers mailing list is private. Or are you saying you can read its posts?

mogulano commented 3 years ago

Didn't know it is private. Thanks!