Skip to content

Commit

Permalink
blurb on security scan reporting (kiali#716)
Browse files Browse the repository at this point in the history
  • Loading branch information
jmazzitelli authored and hhovsepy committed Apr 5, 2024
1 parent 1248760 commit fe332c9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion content/en/news/security-bulletins/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ weight: 2
{{% alert color="info" %}}
NOTE: Kiali takes security seriously and encourages users to report security concerns.

If you run a security scan on Kiali software and would like to report a security scan report to the Kiali team, we only ask that you first verify that your scan is correctly validating the latest release and that the results are valid. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies.
If you run a security scan on Kiali software that automatically generates a list of potential vulnerabilities and would like to report this security scan report to the Kiali team, we ask that you first verify that your scan is correctly validating the latest release and that the list of results is valid, contains no duplicates, and the reported vulnerabilities truly affect Kiali. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies.
{{% /alert %}}

Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:
Expand Down

0 comments on commit fe332c9

Please sign in to comment.