Private Vulnerability Reporting on GitHub
9 views
Skip to first unread message
Vitor Floriano
Apr 4, 2026, 6:15:41 PMApr 4
to kubernetes-security-discuss
Hi Folx,
So, I have a question/proposal:
In the standard Kubernetes Security Policy (SECURITY.md) used by all the Kubernetes projects and subprojects, the guidance on how to report a vulnerability links to the Kubernetes documentation, which then instructs:
> Reporting a Vulnerability
> Instructions for reporting a vulnerability can be found on the Kubernetes Security and Disclosure Information page.
The problem I see is that the information on that page is directed mostly to reporting vulnerabilities in k/k (bug bounty program, private email).
For kubernetes-sigs contributors, that's not very helpful.
When trying to report a vulnerability, kubernetes-sigs contributors need to find the SECURITY_CONTACTS in the repo and find a way to get in contact (again, the instruction in SECURITY_CONTACTS links to the same Kubernetes security page, which does not help in case the vulnerability is in the subproject only).
So, my question/proposal is:
Couldn't we recommend (or even enforce) Private Vulnerability Reporting in all repos in kubernetes-sigs? That would make it so much easier to report vulnerabilites in private and even collaborate on a patch in a temporary private fork.
A few repos in kubernetes-sigs already use this feature:
https://github.com/kubernetes-sigs/external-dns/security
https://github.com/kubernetes-sigs/headlamp/security
https://github.com/kubernetes-sigs/kwok/security
https://github.com/kubernetes-sigs/gateway-api/security
But the vast majority don't:
https://github.com/kubernetes-sigs/kubespray/security
https://github.com/kubernetes-sigs/kind/security
https://github.com/kubernetes-sigs/kustomize/security
https://github.com/kubernetes-sigs/kubebuilder/security
https://github.com/kubernetes-sigs/controller-runtime/security
https://github.com/kubernetes-sigs/krew/security
https://github.com/kubernetes-sigs/karpenter/security
https://github.com/kubernetes-sigs/metrics-server/security
https://github.com/kubernetes-sigs/descheduler/security
https://github.com/kubernetes-sigs/aws-load-balancer-controller/security
https://github.com/kubernetes-sigs/cluster-api/security
https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/security
https://github.com/kubernetes-sigs/kro/security
https://github.com/kubernetes-sigs/kueue/security
https://github.com/kubernetes-sigs/agent-sandbox/security
https://github.com/kubernetes-sigs/secrets-store-csi-driver/security
...and the list goes on...
WDYT?
ps: I first started this conversation in K8s Slack, and was oriented to reach out to the SRC.
So, I have a question/proposal:
In the standard Kubernetes Security Policy (SECURITY.md) used by all the Kubernetes projects and subprojects, the guidance on how to report a vulnerability links to the Kubernetes documentation, which then instructs:
> Reporting a Vulnerability
> Instructions for reporting a vulnerability can be found on the Kubernetes Security and Disclosure Information page.
The problem I see is that the information on that page is directed mostly to reporting vulnerabilities in k/k (bug bounty program, private email).
For kubernetes-sigs contributors, that's not very helpful.
When trying to report a vulnerability, kubernetes-sigs contributors need to find the SECURITY_CONTACTS in the repo and find a way to get in contact (again, the instruction in SECURITY_CONTACTS links to the same Kubernetes security page, which does not help in case the vulnerability is in the subproject only).
So, my question/proposal is:
Couldn't we recommend (or even enforce) Private Vulnerability Reporting in all repos in kubernetes-sigs? That would make it so much easier to report vulnerabilites in private and even collaborate on a patch in a temporary private fork.
A few repos in kubernetes-sigs already use this feature:
https://github.com/kubernetes-sigs/external-dns/security
https://github.com/kubernetes-sigs/headlamp/security
https://github.com/kubernetes-sigs/kwok/security
https://github.com/kubernetes-sigs/gateway-api/security
But the vast majority don't:
https://github.com/kubernetes-sigs/kubespray/security
https://github.com/kubernetes-sigs/kind/security
https://github.com/kubernetes-sigs/kustomize/security
https://github.com/kubernetes-sigs/kubebuilder/security
https://github.com/kubernetes-sigs/controller-runtime/security
https://github.com/kubernetes-sigs/krew/security
https://github.com/kubernetes-sigs/karpenter/security
https://github.com/kubernetes-sigs/metrics-server/security
https://github.com/kubernetes-sigs/descheduler/security
https://github.com/kubernetes-sigs/aws-load-balancer-controller/security
https://github.com/kubernetes-sigs/cluster-api/security
https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/security
https://github.com/kubernetes-sigs/kro/security
https://github.com/kubernetes-sigs/kueue/security
https://github.com/kubernetes-sigs/agent-sandbox/security
https://github.com/kubernetes-sigs/secrets-store-csi-driver/security
...and the list goes on...
WDYT?
ps: I first started this conversation in K8s Slack, and was oriented to reach out to the SRC.
Reply all
Reply to author
Forward
0 new messages