|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +The kas community takes the security of its code seriously. If you think you |
| 4 | +have found a security vulnerability, please read the next sections and follow |
| 5 | +the instructions to report your finding. |
| 6 | + |
| 7 | +## Security Context |
| 8 | + |
| 9 | +Open source software can be used in various contexts that may go far beyond |
| 10 | +what it was originally designed and also secured for. Therefore, we describe |
| 11 | +here how kas is currently expected to be used in security-sensitive scenarios. |
| 12 | + |
| 13 | +In a nutshell, the purpose of kas is fetching known and previously validated |
| 14 | +content, identifying it as original, and then configuring and building |
| 15 | +artifacts. Therefore, anything that may prevent checking the integrity of |
| 16 | +fetched content prior to executing instructions it carries is security-wise in |
| 17 | +scope for kas. This affects both the kas tool itself and the containers |
| 18 | +provided by kas because they also contain tools that kas or bitbake use for |
| 19 | +fetching and validating. |
| 20 | + |
| 21 | +## Reporting a Vulnerability |
| 22 | + |
| 23 | +Please DO NOT report any potential security vulnerability via a public channel |
| 24 | +(mailing list, github issue etc.). Instead, create a report via |
| 25 | +https://github.com/siemens/kas/security/advisories/new or contact the |
| 26 | +maintainer [email protected] via email directly. Please provide a detailed |
| 27 | +description of the issue, the steps to reproduce it, the affected versions and, |
| 28 | +if already available, a proposal for a fix. You should receive a response |
| 29 | +within 5 working days. If the issue is confirmed as a vulnerability by us, we |
| 30 | +will open a Security Advisory on github and give credits for your report if |
| 31 | +desired. This project follows a 90 day disclosure timeline. |
0 commit comments