This is the security policy for the Podman Desktop project. It applies to all repositories in the Podman Desktop GitHub organization.
If you think you've identified a security issue in a Podman Desktop project, please DO NOT report the issue publicly via the GitHub issue tracker, mailing list, or chat. Instead, you have two options:
- Open a private GitHub Security Vulnerability Advisory (GitHub documentation).
- Send an email with as many details as possible to cncf-podman-desktop-security@lists.cncf.io. This is a private mailing list for the core maintainers.
The cncf-podman-desktop-maintainers@lists.cncf.io email list is used for messages about Podman Desktop security announcements as well as general announcements and discussions. You can join the list here or by sending an email to cncf-podman-desktop-maintainers+subscribe@lists.cncf.io.
Each report is acknowledged and analyzed by the core maintainers within 3 working days.
Any vulnerability information shared with core maintainers stays within a Podman Desktop project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
As the security issue moves from triage, to an identified fix, to release planning, the core maintainers will keep the reporter updated.