Skip to content

Security: clusterlink-net/clusterlink

SECURITY.md

Security policy

Thank you for your interest in the security of the ClusterLink project. We created this project with security in mind - enabling simple, performant and secure communication across boundaries in the hybrid cloud.

We are in the alpha phase of this project and do not yet recommend using ClusterLink in production. However, we would welcome your contributions to the code base and/or documentation including pointing out potential security issues so that collectively we can create a solid, robust solution that continuously improves.

Security bulletins

For information regarding the security of this project please join the users mailing list.

Reporting a vulnerability

We're extremely grateful for security researchers and users that report vulnerabilities to the ClusterLink Open Source Community. All reports are thoroughly investigated by a set of community volunteers.

We use GitHub private vulnerability reporting for ClusterLink. Private vulnerability reporting provides an easy way for vulnerability reporters to privately disclose security risks to repository maintainers, within GitHub, and in a way that immediately notifies the repository maintainers of the issue.

You will receive a reply from one of the maintainers within a week, acknowledging receipt of the vulnerability report. You may be contacted to discuss the reported item further. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in ClusterLink components or features
  • You are unsure how a vulnerability affects ClusterLink
  • You think you discovered a vulnerability in another project that ClusterLink depends on. For projects with their own vulnerability reporting and disclosure process, please report the vulnerability directly there.

When Should I NOT Report a Vulnerability?

  • You need help tuning ClusterLink components for security (e.g., advice and help on setting access control policies for specific use cases)
  • You need help applying security related updates
  • Your issue is not security related

There aren’t any published security advisories