Do not file public issues for security vulnerabilities.
Use GitHub's private vulnerability reporting through this repository's Security tab.
If private reporting is unavailable, contact the maintainer via their GitHub profile.
- Description of the vulnerability and potential impact
- Steps to reproduce or proof of concept
- Affected manifest/path (or "latest default branch")
| Stage | Target |
|---|---|
| Initial acknowledgement | 7 business days |
| Validation | 14 days |
| Remediation or mitigation | 90 days when reasonable |
Targets, not guarantees. Complex issues may take longer; you will be kept informed.
- Manifests only. A
deploy-*repo contains no secret material — no unseal or recovery keys, tokens, TLS private keys, or registry credentials. A committed secret is in scope and urgent; report it privately. - Secrets are delivered out-of-band. SOPS-encrypted Secrets live in the cluster repository (decrypted by the cluster's key, not by this repo's reconciler). Nothing here decrypts anything.
- Image supply chain is out of scope here. Image build, SBOM, provenance,
and signing are owned by the image-build repository (e.g. a
chiseled-application-template/ubi9-application-templateconsumer). Report image-build issues there. - Cluster admission/RBAC is out of scope here. Namespace RBAC, admission policy (Kyverno), and the network envelope are owned by the cluster repository.