Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 0.1.0 | ✅ |
The KubeRocketCI team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
To report a security vulnerability, please follow these steps:
- DO NOT disclose the vulnerability publicly on GitHub Issues or other public forums.
- Email us at SupportEPMD-EDP@epam.com with a detailed description of the vulnerability.
- Include steps to reproduce, impact, and any potential mitigations if known.
- Allow time for the team to investigate and address the vulnerability before any public disclosure.
- Acknowledgment of your report within 48 hours
- An initial assessment of the report within 7 days
- Regular updates about the progress of addressing the vulnerability
- Credit for discovering the vulnerability (unless you prefer to remain anonymous)
We follow a coordinated disclosure process:
- Once a vulnerability is confirmed, we develop and test a fix
- We prepare a security advisory to accompany the fix
- We release the fix and publish the security advisory simultaneously
- After the fix has been available for 10 days, details may be discussed publicly
When deploying GitFusion:
- Use the principle of least privilege for the service account
- Keep your Kubernetes environment updated with security patches
- Protect API keys and tokens used for Git provider authentication
- Regularly review and audit access to GitFusion and its resources
- Follow security best practices for handling Git credentials
Thank you for helping us keep our project and our users secure!