From e5b04e8fdb4aceaa5bdbaf06543eb69c2d766299 Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Mon, 13 Nov 2023 14:49:23 -0500 Subject: [PATCH] blurb on security scan reporting (#716) --- content/en/news/security-bulletins/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/news/security-bulletins/_index.md b/content/en/news/security-bulletins/_index.md index 9ad907307..d11fdc2e6 100644 --- a/content/en/news/security-bulletins/_index.md +++ b/content/en/news/security-bulletins/_index.md @@ -9,7 +9,7 @@ weight: 2 {{% alert color="info" %}} NOTE: Kiali takes security seriously and encourages users to report security concerns. -If you run a security scan on Kiali software and would like to report a security scan report to the Kiali team, we only ask that you first verify that your scan is correctly validating the latest release and that the results are valid. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies. +If you run a security scan on Kiali software that automatically generates a list of potential vulnerabilities and would like to report this security scan report to the Kiali team, we ask that you first verify that your scan is correctly validating the latest release and that the list of results is valid, contains no duplicates, and the reported vulnerabilities truly affect Kiali. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies. {{% /alert %}} Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below: