|
| 1 | +# SAS® Viya® Monitoring for Kubernetes Security Policy |
| 2 | + |
| 3 | +Project maintainers and community contributors take security issues seriously. We appreciate efforts to disclose potential issues responsibly and will acknowledge viable contributions. To aid in the investigation of reported vulnerabilities, please follow the [reporting guidelines](#reporting-guidelines) outlined below. |
| 4 | + |
| 5 | +## Scope of Security Reports |
| 6 | + |
| 7 | +### In Scope |
| 8 | +The following components are directly maintained by this project and should be reported through our security reporting process: |
| 9 | + |
| 10 | +* Custom deployment scripts and automation code |
| 11 | +* Project-specific configuration files and templates |
| 12 | +* Custom Kubernetes manifests and Helm charts |
| 13 | +* Project documentation and guidance |
| 14 | +* Any other artifacts created and maintained specifically by the SAS Viya Monitoring project |
| 15 | + |
| 16 | +### Out of Scope |
| 17 | +This project deploys and configures various third-party open-source monitoring tools. For a complete inventory of third-party components used by this project, please refer to [ARTIFACT_INVENTORY.md](ARTIFACT_INVENTORY.md). |
| 18 | + |
| 19 | +Vulnerabilities in these underlying components should be reported to their respective projects. For example: |
| 20 | + |
| 21 | +* Grafana - Report via [Grafana Security](https://grafana.com/security/) |
| 22 | +* Prometheus - Report via [Prometheus Security](https://prometheus.io/docs/operating/security/) |
| 23 | +* OpenSearch - Report via [OpenSearch Security](https://github.com/opensearch-project/OpenSearch/security/policy) |
| 24 | + |
| 25 | +If you're unsure whether a vulnerability belongs to our project's code or an underlying component, please submit the report through our process and we will help direct it to the appropriate team. |
| 26 | + |
| 27 | +## Reporting Guidelines |
| 28 | + |
| 29 | +To report a suspected security issue that is in scope for this project, use GitHub's private vulnerability reporting: |
| 30 | + |
| 31 | +1. Click the `Security` tab |
| 32 | +2. Click the `Report a vulnerability` button |
| 33 | + |
| 34 | +Please provide the following information with your security report: |
| 35 | + |
| 36 | +* Your name and affiliation (if applicable) |
| 37 | +* Version/build-date of the SAS Viya Monitoring project |
| 38 | +* Detailed description of the security issue |
| 39 | +* Steps to reproduce the issue |
| 40 | +* Impact of the vulnerability |
| 41 | +* Any known public information about this vulnerability (e.g., related CVE, security advisory) |
| 42 | +* Whether the vulnerability exists in the latest version |
| 43 | +* Suggested fixes or mitigations (if any) |
| 44 | + |
| 45 | +## Recognition |
| 46 | + |
| 47 | +Contributors who responsibly disclose security vulnerabilities will be acknowledged in our release notes (unless they prefer to remain anonymous). |
| 48 | + |
| 49 | +## Additional Information |
| 50 | + |
| 51 | +For general questions about the project's security, please open a regular GitHub issue. Do not include sensitive security-related details in public issues. |
| 52 | + |
| 53 | +Note: This security policy may be updated from time to time. Please refer to the latest version in the repository. |
0 commit comments