Document vulnerability reporting process

Signed-off-by: Jussi Nummelin <[email protected]>
k0sproject · Jan 7, 2025 · 9604ba2 · 9604ba2
1 parent fd3b880
commit 9604ba2
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Following versions are supported and maintained:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| v1.31.x   | :white_check_mark: |
+| v1.30.x   | :white_check_mark:                |
+| v1.29.x   | :white_check_mark: |
+| < v1.29.x   | :x:                |
+
+## Reporting a Vulnerability
+
+k0s supports responsible disclosure and endeavors to resolve security issues in a reasonable timeframe.
+
+To report a security vulnerability, you can use Github [private security reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) feature under the securtiy tab. That allows the reporter and maintainers to coordinate the disclosure and the fix before public disclosure.