Skip to content

Security: NWarila/deploy-application-template

SECURITY.md

Security Policy

Reporting a vulnerability

Do not file public issues for security vulnerabilities.

Preferred: GitHub private vulnerability reporting

Use GitHub's private vulnerability reporting through this repository's Security tab.

Fallback contact

If private reporting is unavailable, contact the maintainer via their GitHub profile.

What to include

  • Description of the vulnerability and potential impact
  • Steps to reproduce or proof of concept
  • Affected manifest/path (or "latest default branch")

Response timeline

Stage Target
Initial acknowledgement 7 business days
Validation 14 days
Remediation or mitigation 90 days when reasonable

Targets, not guarantees. Complex issues may take longer; you will be kept informed.

Scope notes specific to deploy-* repositories

  • Manifests only. A deploy-* repo contains no secret material — no unseal or recovery keys, tokens, TLS private keys, or registry credentials. A committed secret is in scope and urgent; report it privately.
  • Secrets are delivered out-of-band. SOPS-encrypted Secrets live in the cluster repository (decrypted by the cluster's key, not by this repo's reconciler). Nothing here decrypts anything.
  • Image supply chain is out of scope here. Image build, SBOM, provenance, and signing are owned by the image-build repository (e.g. a chiseled-application-template / ubi9-application-template consumer). Report image-build issues there.
  • Cluster admission/RBAC is out of scope here. Namespace RBAC, admission policy (Kyverno), and the network envelope are owned by the cluster repository.

There aren't any published security advisories