Skip to content

Security: LuxorLabs/tofu-controller

Security

SECURITY.md

Tofu-Controller Security

This document defines security reporting, handling and disclosure information for the Tofu-Controller project and community.

Security Process

Report a Vulnerability

We're very thankful for – and if desired happy to credit – security researchers and users who report vulnerabilities to the Tofu-Controller community.

  • To make a report please go to Tofu-Controller's Security page and submit the details. We ask that reporters act in good faith by not disclosing the issue to others.
  • The Security Team will investigate the issue as soon as possible and where needed, coordinate a release date with relevant parties.
  • You will be able to choose if you want public acknowledgement of your effort and how you would like to be credited.
  • Please note that we do not run a bug bounty program and therefore no financial compensation should be expected when reporting a vulnerability.

Security Team

Our Security Team consists of the Project's maintainers.

Handling

  • All reports are thoroughly investigated by the Security Team.
  • Any vulnerability information shared with the Security Team will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.
  • As the security issue moves through the identification and resolution process, the reporter will be notified.
  • Additional questions about the vulnerability may also be asked of the reporter.

Disclosures

Vulnerability disclosures are announced publicly through our security advisories. Disclosures will contain an overview, details about the vulnerability, a fix that will typically be an update, and optionally a workaround if one is available.

We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users. We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available. Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.

There aren’t any published security advisories