|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +Kubeflow Notebooks versions are expressed as `vX.Y.Z`, where X is the major version, |
| 6 | +Y is the minor version, and Z is the patch version, following the |
| 7 | +[Semantic Versioning](https://semver.org/) terminology. |
| 8 | + |
| 9 | +The Kubeflow Notebooks project maintains release branches for the most recent two minor releases. |
| 10 | +Applicable fixes, including security fixes, may be backported to those two release branches, |
| 11 | +depending on severity and feasibility. |
| 12 | + |
| 13 | +Users are encouraged to stay updated with the latest releases to benefit from security patches and |
| 14 | +improvements. |
| 15 | + |
| 16 | +## Reporting a Vulnerability |
| 17 | + |
| 18 | +We're extremely grateful for security researchers and users that report vulnerabilities to the |
| 19 | +Kubeflow Open Source Community. All reports are thoroughly investigated by Kubeflow projects owners. |
| 20 | + |
| 21 | +You can use the following ways to report security vulnerabilities privately: |
| 22 | + |
| 23 | +- Using the Kubeflow Notebooks repository [GitHub Security Advisory](https://github.com/kubeflow/notebooks/security/advisories/new). |
| 24 | +- Using our private Kubeflow Steering Committee mailing list: [email protected]. |
| 25 | + |
| 26 | +Please provide detailed information to help us understand and address the issue promptly. |
| 27 | + |
| 28 | +## Disclosure Process |
| 29 | + |
| 30 | +**Acknowledgment**: We will acknowledge receipt of your report within 10 business days. |
| 31 | + |
| 32 | +**Assessment**: The Kubeflow projects owners will investigate the reported issue to determine its |
| 33 | +validity and severity. |
| 34 | + |
| 35 | +**Resolution**: If the issue is confirmed, we will work on a fix and prepare a release. |
| 36 | + |
| 37 | +**Notification**: Once a fix is available, we will notify the reporter and coordinate a public |
| 38 | +disclosure. |
| 39 | + |
| 40 | +**Public Disclosure**: Details of the vulnerability and the fix will be published in the project's |
| 41 | +release notes and communicated through appropriate channels. |
| 42 | + |
| 43 | +## Prevention Mechanisms |
| 44 | + |
| 45 | +Kubeflow Notebooks employs several measures to prevent security issues: |
| 46 | + |
| 47 | +**Code Reviews**: All code changes are reviewed by maintainers to ensure code quality and security. |
| 48 | + |
| 49 | +**Dependency Management**: Regular updates and monitoring of dependencies (e.g. Dependabot) to |
| 50 | +address known vulnerabilities. |
| 51 | + |
| 52 | +**Continuous Integration**: Automated testing and security checks are integrated into the CI/CD pipeline. |
| 53 | + |
| 54 | +**Image Scanning**: Container images are scanned for vulnerabilities. |
| 55 | + |
| 56 | +## Communication Channels |
| 57 | + |
| 58 | +For the general questions please join the following resources: |
| 59 | + |
| 60 | +- Kubeflow [Slack channels](https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels). |
| 61 | + |
| 62 | +- Kubeflow discuss [mailing list](https://www.kubeflow.org/docs/about/community/#kubeflow-mailing-list). |
| 63 | + |
| 64 | +Please **do not report** security vulnerabilities through public channels. |
0 commit comments