Responsible Disclosure Policy

If you discover a security vulnerability, the Spinnaker Security SIG would like to know about it. The quicker we know, the quicker we can take steps to address the issue. We ask that you not publicly disclose the vulnerability until we have had the chance to investigate and determine the impact.

How to report a security vulnerability in Spinnaker?

If you believe that you have found a security vulnerability in Spinnaker, please email to report the issue. Include the following in the report:

  1. Description of the vulnerability
  2. Potential impact of the vulnerability
  3. A detailed description of how to reproduce the vulnerability (including scripts, screenshots, etc) is only for reporting security vulnerabilities. For general help or bug reports please send those to either Spinnaker Slack or GitHub issues.

Security SIG Roadmap

Security SIG Roadmap defines the work that we want to do for 2019.