If you find a security related bug in Argo Workflows, we kindly ask you for responsible disclosure and for giving us appropriate time to react, analyze and develop a fix to mitigate the found security vulnerability.
Please report vulnerabilities by:
- Opening a draft GitHub Security Advisory: https://github.com/argoproj/argo-workflows/security/advisories/new
- Sending an e-mail to the following address: cncf-argo-security@lists.cncf.io
All vulnerabilities and associated information will be treated with full confidentiality.
Security vulnerabilities will be disclosed via release notes and using the GitHub Security Advisories feature to keep our community well informed, and will credit you for your findings (unless you prefer to stay anonymous, of course).
See static code analysis.
We're happy to announce that the Argo project is collaborating with the great folks over at Hacker One and their Internet Bug Bounty program to reward the awesome people who find security vulnerabilities in the four main Argo projects (CD, Events, Rollouts and Workflows) and then work with us to fix and disclose them in a responsible manner.
If you report a vulnerability to us as outlined in this security policy, we will work together with you to find out whether your finding is eligible for claiming a bounty, and also on how to claim it.
See docs/security.md for information about securing your Argo Workflows instance.