Skip to content

Security: dhineshbabuelango/community

Security

SECURITY.md

Helm Security Process and Policy

This document provides the details on the Helm security policy and details the processes surrounding security handling including a how to guide on reporting a security vulnerability for anything within the Helm organization.

Report A Vulnerability

We’re extremely grateful for security researchers and users who report vulnerabilities to the Helm community. All reports are thoroughly investigated by a set of Helm maintainers.

To make a report please email the private security list at [email protected] with the details.

You may, but are not required to, encrypt your email to this list using the PGP keys of security team members, listed below.

Name Key URL Fingerprint
Adam Reese link 49D0 9C86 C3DC 8DA3 F0A0 7622 1EF6 1234 7F8A 9958
Adnan Abdulhussein link 5111 DA73 DF12 D8E8 12CA 462F 2CDB BFBB 37AE 822A
Justin Scott link 0246 9D6A 9531 A14F E405 E4A4 3C36 16B8 9FBB 1F50
Matt Butcher link ABA2 5295 98F6 626C 420D 335B 62F4 9E74 7D91 1B60
Matt Farina link 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
Matt Fisher link 967F 8AC5 E221 6F9F 4FD2 70AD 92AA 783C BAAE 8E3B
Michelle Noorali
Nikhil Manchanda link 5674 7211 71F8 CD59 F285 353D 9692 757E BCD3 D66C
Vic Iglesias link 43A7 994E F6C7 7D7F 147B C152 381B ABCF F47D EAFC

When To Send A Report

You think you have found a vulnerability in a Helm project or a dependency of a Helm project. This can be any of the repositories on the Helm GitHub organization.

When Not To Send A Report

  • If a vulnerability has been found in an application deployed by a Helm Chart. Instead, contact the application maintainers
  • For guidance on securing Helm, please see the documentation or ask in one of the support channels
  • You are looking for help applying security updates

Security Vulnerability Response

Each report will be reviewed and receipt acknowledged within 3 business days. This will set off the security review process detailed below.

Any vulnerability information shared with the security team stays within the Helm project and will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.

We ask that vulnerability reporter(s) act in good faith by not disclosing the issue to others. And we strive to act in good faith by acting swiftly, and by justly crediting the vulnerability reporter(s) in writing.

As the security issue moves through triage, identification, and release the reporter of the security vulnerability will be notified. Additional questions about the vulnerability may also be asked of the reporter.

Public Disclosure

A public disclosure of security vulnerabilities is released alongside release updates or details that fix the vulnerability. We try to fully disclose vulnerabilities once a mitigation strategy is available. Our goal is to perform a release and public disclosure quickly and in a timetable that works well for users. For example, a release may be ready on a Friday but for the sake of users may be delayed to a Monday.

CVEs will be assigned to vulnerabilities. Due to the process and time it takes to obtain a CVE ID, disclosures will happen first. Once the disclosure is public the process will begin to obtain a CVE ID. Once the ID has been assigned the disclosure will be updated.

If the vulnerability reporter would like their name and details shared as part of the disclosure process we are happy to. We will ask permission and for the way the reporter would like to be identified. We appreciate vulnerability reports and would like to credit reporters if they would like the credit.

Security Team Membership

The security team is made up of a subset of the Helm project maintainers who are willing and able to respond to vulnerability reports.

Responsibilities

  • Members MUST be active project maintainers as defined in the governance
  • Members SHOULD engage in each reported vulnerability, at a minimum to make sure it is being handled
  • Members MUST keep the vulnerability details private and only share on a need to know basis

Membership

New members are required to be active maintainers of Helm projects who are willing to perform the responsibilities outlined above. The security team is a subset of the maintainers. Members can step down at any time and may join at any time.

Patch and Release Team

When a vulnerability comes in and is acknowledged, a team - including maintainers of the Helm project affected - will assembled to patch the vulnerability, release an update, and publish the vulnerability disclosure. This may expand beyond the security team as needed but will stay within the pool of Helm project maintainers.

Disclosures

Vulnerability disclosures are published as blog posts on the Helm Blog and emailed to the Helm mailing list. The disclosures will contain an overview, details about the vulnerability, a fix for the vulnerability that will typically be an update, and optionally a workaround if one is available.

Disclosures will be published on the same day as a release fixing the vulnerability after the release is published.

There aren’t any published security advisories