Skip to content

Security: cedana/cri-o

Security

SECURITY.md

CRI-O Security

CRI-O is used in production across many industries that rely on a stable and secure container runtime for critical infrastructure. Security is taken seriously and has high priority across all related projects to ensure users can trust CRI-O for their systems. This means that not only vulnerabilities for this project, but also for depending ones can be reported through our process, for example if a vulnerability affects conmon or conmon-rs.

We're extremely grateful for security researchers and users that report vulnerabilities to the CRI-O community. All reports are thoroughly investigated by a set of community volunteers.

Report a Vulnerability

To make a report, email the vulnerability to the private [email protected] list with the security details and the details expected for all CRI-O bug reports.

You can expect an initial response to the report within 3 business days. Possible fixes for vulnerabilities will be then discussed via the mail thread and can be considered as automatically embargoed until they got merged into all related branches. A project approver or reviewer (as defined in the OWNERS file) will coordinate how the pull requests and patches are being incorporated into the repository without breaking the embargo.

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in CRI-O
  • You are unsure how a vulnerability affects CRI-O
  • You think you discovered a vulnerability in another project that CRI-O depends on (for projects with their own vulnerability reporting and disclosure process, please report it directly there)

When Should I NOT Report a Vulnerability?

  • You need help tuning CRI-O components for security
  • You need help applying security related updates
  • Your issue is not security related

There aren’t any published security advisories