1# Security Policy
2
3## Reporting a Vulnerability
4
5The KubeVirt project treats security vulnerabilities seriously, so we
6strive to take action quickly when required.
7
8The project requests that security issues be disclosed in a responsible
9manner to allow adequate time to respond. If a security issue or
10vulnerability has been found, please disclose the details to our
11dedicated email address:
12
13cncf-kubevirt-security@lists.cncf.io
14
15Please include as much information as possible with the report. The
16following details assist with analysis efforts:
17 - Description of the vulnerability
18 - Affected component (version, commit, branch etc)
19 - Affected code (file path, line numbers)
20 - Exploit code
21
22Any confidential information disclosed to the security team will be
23handled appropriately to prevent misuse or accidental disclosure.
24
25## Security Notices
26
27Security notices will be sent to the kubevirt-dev@googlegroups.com
28mailing list and published to the
29[Security Advisories](https://github.com/kubevirt/kubevirt/security/advisories)
30page.
31
32## Security Team
33
34The security team currently consists of the Maintainers of KubeVirt and is
35supported by security teams of involved vendors.
36
37List of involved vendor security teams:
38- Red Hat <secalert@redhat.com>
39- SUSE <security@suse.de>
40
41## Alternate Reporting Mechanism
42
43If you are unable to report the vulnerability to the dedicated email address, you can use the [GitHub vulnerability report mechanism](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
View as plain text