ngrok/ngrok-operator
1
0
Fork 0
mirror of https://github.com/ngrok/ngrok-operator.git synced 2026-05-17 16:50:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial SECURITY.md file (#777)

Browse Source
This commit is contained in:
Sabrina Ahmed
2026-03-13 11:00:14 -05:00
committed by GitHub
parent 769efe702e
commit 57ee92c66c
1 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY.md
+74
View File
@@ -0,0 +1,74 @@
# Security Policy
## Reporting a Vulnerability
The ngrok Kubernetes Operator team takes security vulnerabilities seriously. We appreciate responsible disclosure and will work with you to investigate and address any issues.
**Please do not report security vulnerabilities through public GitHub issues.**
To report a security vulnerability, please use the [GitHub Security Advisory](https://github.com/ngrok/ngrok-operator/security/advisories/new) feature. This allows you to report the issue privately to the maintainers.
Alternatively, you may email **security@ngrok.com** with:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact of the vulnerability
- Any suggested mitigations, if known
### What to Expect
- **Acknowledgement**: We will acknowledge receipt of your report within 3 business days.
- **Assessment**: We will investigate and confirm whether the report describes a genuine vulnerability within 10 business days.
- **Resolution**: Once confirmed, we will work on a fix and coordinate a disclosure timeline with you.
- **Credit**: We are happy to credit reporters in release notes and advisories, unless you prefer to remain anonymous.
We ask that you:
- Give us reasonable time to address the issue before any public disclosure.
- Avoid accessing or modifying other users' data during your research.
- Act in good faith to avoid privacy violations, data destruction, or service disruption.
## Supported Versions
Security fixes are applied to the **latest release** of the ngrok Kubernetes Operator. We encourage all users to stay on the most recent version.
| Version | Supported |
|---------|-----------|
| Latest (0.x) | :white_check_mark: |
| Older releases | :x: |
Since the operator is currently pre-1.0.0, only the most recent release branch receives security updates. Users are encouraged to upgrade promptly when new releases are available.
## Scope
This security policy applies to vulnerabilities in the **ngrok Kubernetes Operator** itself, including:
- The operator controller and reconciliation logic
- Helm chart configuration and defaults
- CRD definitions and admission webhooks
- Container images published to the ngrok container registry
### Out of Scope
- Vulnerabilities in the ngrok platform or ngrok agent itself — please report those via [ngrok's security disclosure process](https://ngrok.com/security)
- Vulnerabilities in third-party dependencies — please report those to the relevant upstream projects
- Scanner output that has not been independently verified as exploitable in the context of this operator
- Issues in older, unsupported versions of the operator
## Security Announcements
To stay informed about security updates and advisories:
- Watch this repository for [security advisories](https://github.com/ngrok/ngrok-operator/security/advisories)
- Monitor the [GitHub releases page](https://github.com/ngrok/ngrok-operator/releases) for security-related releases
## Disclosure Policy
When a vulnerability is confirmed, we follow coordinated disclosure:
1. A patch is prepared in a private fork or branch.
2. A GitHub Security Advisory is drafted with CVE assignment requested if applicable.
3. The fix is released and the advisory is published simultaneously.
4. Release notes will reference the advisory.
We aim to disclose vulnerabilities within **90 days** of the initial report, in line with common industry standards.