Policy version 1.0 (2025/11/05)

The argocd-agent project takes security very seriously, and we are committed to continuously working on improving the security of the project.

Only the most recent minor version (e.g. 1.0 or 1.1) will receive security fixes, and no back-ports will be made.

If you find a security vulnerability in the argocd-agent code, we appreciate your responsible disclosure to us.

Please report vulnerabilities confidentially using GitHub's private security issue feature. You can create a confidential vulnerability report.

We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out-of-office conditions), so please bear with us in these cases.

We will publish security advisories using the GitHub Security Advisories feature, which includes issuing a CVE, to keep our community well-informed, and will credit you for your findings (unless you prefer to stay anonymous, of course).

Please DO NOT report already known issues (for example, already issued CVEs in base images or dependencies) using GitHub's security advisories feature. In these cases, please open a normal GitHub issue (bug). Since these issues are already known, there is no reason to keep them confidential.