Please do not report security vulnerabilities or security incidents via public channels such as GitHub Issues or Pull Requests. To ensure coordinated disclosure, direct all security questions and vulnerability reports to:
- Email: secalert@redhat.com
Further details at https://access.redhat.com/security/team/contact
To help us triage and resolve the issue efficiently, please include the following in your report:
- Title: A concise, descriptive summary of the issue.
- Reporter Details: Your name or handle and affiliation.
- Technical Description: Detailed information regarding the vulnerability.
- Affected Versions: The specific version(s) or range(s) of software tested.
- Reproduction Steps: A minimal, functional example to reproduce the issue.
- Impact Assessment: Potential exploit scenarios and perceived severity (optional).
- Suggested Fix: Any proposed patches or mitigations (optional).
- Disclosure Status: Whether this has been shared with other parties or published, and your plan for future sharing (e.g., at a conference).
We aim to provide an initial acknowledgement of your report within 10 business days. All confirmed security vulnerabilities and incidents will be addressed according to severity level and impact on the project.
- Embargoed fixes are developed in private branches or forks to prevent premature disclosure.
- All security patches undergo peer review by at least one other maintainer with relevant domain knowledge.
- Patches are tested against the reproduction steps from the original report and validated against regression test suites.
- Security fixes are distributed through the project's normal release channels (container images, operator index, helm registry).
- Release notes must reference the associated CVE ID(s) and advisory.
The StackRox project follows a Coordinated Vulnerability Disclosure (CVD) model aligned with OpenSSF guidance:
- Embargo Period: Vulnerability details remain confidential until a fix is available and released.
- Disclosure Timing: Public disclosure occurs simultaneously with or immediately after the availability of a patched release.
- Pre-notification: For Critical severity issues affecting widely-deployed components, the Security Team may provide advance notice to major downstream users under embargo, up to 7 days before public disclosure.
We regularly perform patch releases for at least two most recent minor versions, which contain fixes for relevant security vulnerabilities and important bugs. Prior releases might receive critical security fixes on a best-effort basis. However, we cannot guarantee that security fixes will be back-ported to older unsupported versions.
We follow established industry best practices for secure development incl. but not limited to
- Secured version control of source code
- Mandatory peer reviews
- Build time vulnerability scanning
- Automatic update of 3rd party dependencies
- Automatic end 2 end testing of security relevant features (e.g. authentication)
This project is stewarded by Red Hat, Inc., an open source software steward as defined in Article 3(14) of the EU Cyber Resilience Act (Regulation 2024/2847). Contact: cra-steward@redhat.com
Refer to Red Hat's security practices and vulnerability management policy for detailed information.