OpenEBS follows similar security policy as other CNCF projects, primarily inspired from the Kubernetes project. As the community and adoption increases, a much more detailed process will be put in place.

Security related issues once fixed will be tracked publicly on GitHub Issues. New issue announcements are sent to [email protected]

If you find a security bug please report it privately to the maintainers listed in the MAINTAINERS of the relevant repository. We will fix the issue and coordinate a release date with you, acknowledging your effort and mentioning you by name if you want.

Each report is acknowledged and analyzed by the maintainers within 3 working days. As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

We prefer to fully disclose the bug as soon as possible once a user mitigation is available. The Fix Lead drives the schedule using their best judgment based on severity, development time, and release manager feedback. If the Fix Lead is dealing with a Public Disclosure all timelines become ASAP.