The kube-router maintainers take security issues seriously. We appreciate responsible disclosure and will work with you to understand and address valid reports.

Please do not open a public GitHub issue, pull request, or discuss a potential vulnerability in public forums/Slack before the maintainers have had a chance to review and respond.

Use one of the following private channels:

• Email: [email protected]
• GitHub (preferred when available): https://github.com/cloudnativelabs/kube-router/security/advisories/new

If you are reporting via email, include [SECURITY] in the subject line.

To help us triage quickly, please include:

• A clear description of the issue and its potential impact
• Affected versions/branches (and any configuration details that matter)
• Reproduction steps or a minimal proof of concept (as appropriate)
• Any known mitigations or workarounds
• Your preferred contact information for follow-up

When we receive a report, we aim to:

• Acknowledge receipt within 2 business days
• Provide an initial assessment and request additional details (if needed)
• Develop and validate a fix (and backport on a best-effort basis when feasible)
• Coordinate release timing and public disclosure with the reporter

We follow responsible/coordinated disclosure practices. Please give us a reasonable amount of time to investigate and prepare a fix before publishing details. If a CVE is warranted, the maintainers will coordinate with the appropriate CVE numbering authority.

Security fixes are provided on a best-effort basis for:

• The latest released minor version
• The previously released minor version

Older versions may not receive security updates; upgrading is strongly recommended.

Security advisories and releases are published via GitHub. We recommend watching the repository and staying current with upstream releases.