kubestellar
Ensure Vulnerability Report Responses Within 14 Days
Description:
The [vulnerability_report_response] criterion is currently unmet. OpenSSF requires that all vulnerability reports filed in the last 6 months receive an initial response within 14 days. While SECURITY.md already commits to acknowledgment in 3 working days, the policy should explicitly note compliance with the 14‑day requirement and state how the project handles periods with no reports.
This issue is part of Epic #3223 to raise KubeStellar’s badge score.
Proposed Solution:
Update SECURITY.md under “Security Vulnerability Response” to include:
Each report is acknowledged and analyzed by the KubeStellar maintainers within 3 working days, which is well within the OpenSSF requirement of an initial response within 14 days.
We guarantee that all valid vulnerability reports will receive an initial acknowledgment within 14 days of receipt.
If no vulnerability reports are received during a given 6‑month period, this will be noted in the OpenSSF badge application with a justification of "Not Applicable."
This monitoring process ensures that any vulnerability report is seen, acknowledged, and acted upon in a timely and consistent manner.
Acceptance Criteria:
SECURITY.md updated with explicit ≤14‑day SLA and N/A handling. Maintainer monitoring process documented. Badge application updated with the new SECURITY.md URL as evidence.
Epic: #3223
Hi Rishi, I would like to contribute, the first step would be updating the md with the text you wrote correct?
What about these 2 steps?
Maintainer monitoring process documented. Badge application updated with the new SECURITY.md URL as evidence.
Hi @Autodotnet, thanks for your interest in contributing! 🙌 Yes, the first step is to update SECURITY.md with the text I suggested. The other two steps - documenting the maintainer monitoring process and updating the badge application will be handled by the maintainers, so you can focus on the SECURITY.md update. That alone will be a great help!