kloudlens-cli is under active development and has not yet cut a tagged release. Only the latest commit on the main branch receives security fixes.

Do not open a public GitHub issue for security vulnerabilities.

Please report security issues by email to namjh@dankook.ac.kr with the subject line [kloudlens-cli Security].

Include:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Your environment (OS, Go version, kloudlens-cli version / commit SHA, agent version the CLI was talking to)
• Affected command or code path (klctl <verb>, contract adapter name, streaming code path, config file handling, etc.)
• Any suggested mitigations if you have them

We aim to acknowledge reports within 5 business days.

We follow a coordinated disclosure model. Please allow us reasonable time to address the vulnerability before any public disclosure. We will credit reporters in the release notes unless you prefer to remain anonymous.

In scope for this repo:

• The klctl CLI binary and all its subcommands
• Contract adapters that generate enforcer policies (seccomp, AppArmor, KubeArmor, Cilium, Kyverno, OPA/Rego, NetworkPolicy, PodSecurity)
• gRPC client handling (the dial path; the wire is plaintext today, but any future credential plumbing on the CLI side belongs here)
• Cursor-resume file handling on disk
• The container image published from this repo

Out of scope — report against the relevant upstream instead:

• KloudLens itself (kloudlens, eBPF programs) — see boanlab/KloudLens SECURITY.md
• The cluster fan-in (kloudlens-aggregator) — see boanlab/kloudlens-aggregator SECURITY.md
• Third-party dependencies (report to the upstream project)
• Misconfigurations in user-supplied BehaviorContract YAML
• Downstream enforcer behavior after a generated policy is loaded