|
1 | | -# Security policy |
| 1 | +# Security Policy |
2 | 2 |
|
3 | | -## Security bulletins |
| 3 | +## Supported Versions |
4 | 4 |
|
5 | | -For information regarding the security of this project please join: |
| 5 | +Kubeflow Spark History MCP Server versions are expressed as `vX.Y.Z`, where X is the major version, |
| 6 | +Y is the minor version, and Z is the patch version, following the |
| 7 | +[Semantic Versioning](https://semver.org/) terminology. |
6 | 8 |
|
7 | | -* <!-- TODO: $SLACK-CHANNEL --> |
8 | | -* <!-- TODO: $EMAIL-LIST --> |
| 9 | +The Kubeflow Spark History MCP Server project maintains release branches for the most recent two minor releases. |
| 10 | +Applicable fixes, including security fixes, may be backported to those two release branches, |
| 11 | +depending on severity and feasibility. |
9 | 12 |
|
10 | | -You may also subscribe to an RSS feed of the above using <!-- TODO: $LINK -->. |
| 13 | +Users are encouraged to stay updated with the latest releases to benefit from security patches and |
| 14 | +improvements. |
11 | 15 |
|
12 | | -## Reporting a vulnerability |
| 16 | +## Reporting a Vulnerability |
13 | 17 |
|
14 | | -Please use the below process to report a vulnerability to the project: |
| 18 | +We're extremely grateful for security researchers and users that report vulnerabilities to the |
| 19 | +Kubeflow Open Source Community. All reports are thoroughly investigated by Kubeflow projects owners. |
15 | 20 |
|
16 | | -Email: |
| 21 | +You can use the following ways to report security vulnerabilities privately: |
17 | 22 |
|
18 | | -1. Email the **<!-- TODO: $NAME-->**: **<!-- TODO: $ALIAS -->** |
19 | | - * Emails should contain: |
20 | | - * description of the problem |
21 | | - * precise and detailed steps (include screenshots) that created the |
22 | | - problem |
23 | | - * the affected version(s) |
24 | | - * any possible mitigations, if known |
25 | | -1. You will receive a reply from one of the maintainers within **<!-- TODO: $X days -->** |
26 | | - acknowledging receipt of the email. |
27 | | -1. You may be contacted by a **<!-- TODO: $PERSON -->** to further discuss the reported item. |
28 | | - Please bear with us as we seek to understand the breadth and scope of the |
29 | | - reported problem, recreate it, and confirm if there is a vulnerability |
30 | | - present. |
| 23 | +- Using the Kubeflow Spark History MCP Server repository [GitHub Security Advisory](https://github.com/kubeflow/mcp-apache-spark-history-server/security/advisories/new). |
| 24 | +- Using our private Kubeflow Steering Committee mailing list: [email protected]. |
31 | 25 |
|
32 | | -Web Form: |
| 26 | +Please provide detailed information to help us understand and address the issue promptly. |
33 | 27 |
|
34 | | -1. Please visit **<!-- TODO: $LINK -->** |
35 | | - * You will receive a confirmation email upon submission |
36 | | -1. You may be contacted by a **<!-- TODO: $PERSON -->** to further discuss the reported item |
37 | | - within **<!-- TODO: $X days -->**. Please bear with us as we seek to understand the breadth |
38 | | - and scope of the reported problem, recreate it, and confirm if there is an |
39 | | - vulnerability present. |
| 28 | +## Disclosure Process |
40 | 29 |
|
41 | | -This project follows a **<!-- TODO: $X day --> disclosure timeline**. Refer to our embargo |
42 | | -policy **<!-- TODO: $LINK -->** for more information. |
| 30 | +**Acknowledgment**: We will acknowledge receipt of your report within 10 business days. |
43 | 31 |
|
44 | | -## Supported Versions |
| 32 | +**Assessment**: The Kubeflow projects owners will investigate the reported issue to determine its |
| 33 | +validity and severity. |
| 34 | + |
| 35 | +**Resolution**: If the issue is confirmed, we will work on a fix and prepare a release. |
| 36 | + |
| 37 | +**Notification**: Once a fix is available, we will notify the reporter and coordinate a public |
| 38 | +disclosure. |
| 39 | + |
| 40 | +**Public Disclosure**: Details of the vulnerability and the fix will be published in the project's |
| 41 | +release notes and communicated through appropriate channels. |
| 42 | + |
| 43 | +## Prevention Mechanisms |
| 44 | + |
| 45 | +Kubeflow Spark History MCP Server employs several measures to prevent security issues: |
| 46 | + |
| 47 | +**Code Reviews**: All code changes are reviewed by maintainers to ensure code quality and security. |
| 48 | + |
| 49 | +**Dependency Management**: Regular updates and monitoring of dependencies (e.g. Dependabot) to |
| 50 | +address known vulnerabilities. |
| 51 | + |
| 52 | +**Continuous Integration**: Automated testing and security checks are integrated into the CI/CD pipeline. |
| 53 | + |
| 54 | +**Image Scanning**: Container images are scanned for vulnerabilities. |
| 55 | + |
| 56 | +## Communication Channels |
| 57 | + |
| 58 | +For the general questions please join the following resources: |
| 59 | + |
| 60 | +- Kubeflow [Slack channels](https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels). |
45 | 61 |
|
46 | | -Information regarding supported versions of this project can be found on |
47 | | -**<!-- TODO: $LINK -->** located on the **<!-- TODO: $WEBSITE -->** and in the below table: |
| 62 | +- Kubeflow discuss [mailing list](https://www.kubeflow.org/docs/about/community/#kubeflow-mailing-list). |
48 | 63 |
|
49 | | -| Version | Supported | |
50 | | -| --- | --- | |
51 | | -| <!-- TODO: x.xx.x --> | :white_check_mark: | |
52 | | -| <=<!-- TODO: x.xx.x --> | :x: | |
| 64 | +Please **do not report** security vulnerabilities through public channels. |
0 commit comments