From a0d3aa3aba801595fe70b66ab74b41b4c34fe7d8 Mon Sep 17 00:00:00 2001 From: mingcheng Date: Thu, 25 Jun 2026 18:03:38 +0800 Subject: [PATCH] docs: Add Security Policy and section - Add SECURITY.md with reporting and response process - Add Security section to profile/README.md linking to policy - Include CNCF Security Policy reference and reporting email Signed-off-by: mingcheng --- SECURITY.md | 27 +++++++++++++++++++++++++++ profile/README.md | 6 +++++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..cf26835 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security Policy + +The KusionStack is a CNCF incubating project, and we follow the [CNCF Security Policy](https://contribute.cncf.io/projects/best-practices/security/). And we take the security of KusionStack very seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly. + +## Reporting a Vulnerability + +To report a vulnerability, please follow these steps: + +1. Go to the **Security** tab in the relevant repository on GitHub. +2. Click on the **Advisories** tab. +3. Click on **Report a vulnerability**. + +Alternatively, you can send an email to [antsrc@service.alipay.com](mailto:antsrc@service.alipay.com) with a description of the issue, the steps to reproduce it, and the potential impact. + +You can expect a response within 24 hours to acknowledge that we've received your report. If you don't hear back in that time, please reach out to a committer directly to confirm we received your message. + +## Security Response Process + +Once a committer confirms the report is valid, they will create a draft security advisory on GitHub. We'll discuss the issue with the relevant maintainers and the reporter(s) in private. + +If you'd like to participate in the discussion, please provide your GitHub username so we can invite you. Otherwise, you can ask to be kept updated via email. + +If we accept the vulnerability, we'll work with you to determine a timeline for developing a patch, disclosing the issue publicly, and releasing the fix. + +## Scope + +We prioritize vulnerabilities that could compromise data confidentiality, allow privilege escalation, or affect data integrity. Availability issues such as Denial of Service (DoS) and resource exhaustion are also taken seriously. \ No newline at end of file diff --git a/profile/README.md b/profile/README.md index 2c9e406..2919b10 100644 --- a/profile/README.md +++ b/profile/README.md @@ -14,7 +14,7 @@ As world's most promising Kubernetes Explorer/Kubernetes Dashboard, our end goal [Kusion](https://github.com/KusionStack/kusion) is an intent-driven [Platform Orchestrator](https://internaldeveloperplatform.org/platform-orchestrators/), which sits at the core of an [Internal Developer Platform](https://internaldeveloperplatform.org/what-is-an-internal-developer-platform/). With Kusion you can enhance self-service developer experience, by giving developers the ability to deploy applications with all dependencies to all environments, with a single application specification - [AppConfiguration](https://www.kusionstack.io/docs/next/concepts/app-configuration). -Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process. +Inspired by the phrase **Fusion on Kubernetes**, Kusion aims to simplify the process of deploying applications into your infrastructure and helps platform teams standardize the whole deployment process. ## Kuperator @@ -33,3 +33,7 @@ We regularly post about technical practice and thinking we have solved and provi ## KusionStack Community Code of Conduct KusionStack follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). + +## Security + +KusionStack takes security seriously. If you discover a security vulnerability in any of our projects, please refer to our [Security Policy](https://github.com/KusionStack/.github/blob/main/SECURITY.md) for reporting guidelines. We will respond to all reports as quickly as possible.