Skip to content

Security: harvester/docs

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

The Harvester team supports responsible disclosure and endeavors to resolve security issues in a reasonable timeframe. To report a security vulnerability, email [email protected]. You may (but are not required to) use GPG for encrypted communication. For encryption key details, please see https://github.com/rancher/rancher/security

We currently do not have a bounty rewards program in place, and nor do we offer swags. However, we genuinely appreciate the vigilance and expertise of our user community in helping us maintain the highest security standards.

We strive to acknowledge receiving submissions within 5 working days, please wait until that time has past before asking for a status update.

The information contained in your report must be treated as embargoed and must not be shared publicly, unless explicitly agreed with us first. This is to protect the Harvester and Rancher ecosystem users and enable us to follow through our coordinated disclosure process. The information shall be kept embargoed until a fix is released.

We extend our heartfelt thanks to the security researchers and users who diligently report vulnerabilities. Your invaluable contributions enhance our ability to improve our systems and protect our user community. We credit all accepted reports from users and security researchers in our security advisories:

What information to provide

Feel free to get in touch in whatever way works best for you! However, if you're able to include the information below in your report, that would be incredibly helpful and much appreciated:

  • Product name and version where the issue was observed. If the issue was observed on the source code, the link to the specific code in GitHub instead.
  • Description of the problem.
  • Type of the issue and impact when exploited.
  • Steps to reproduce or a proof of concept.

The more information you provide, the faster we will be able to reproduce the issue and address your concerns more effectively.

There aren’t any published security advisories