| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of CAPT seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please DO NOT file a public issue. Instead, send your report privately to:
- Email: [INSERT SECURITY EMAIL]
- Or use GitHub's private vulnerability reporting feature
Your report should include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations
- Affected versions
- Any additional information that could be helpful
After you submit your report:
- We will acknowledge receipt of your report within 3 business days
- We will provide an initial assessment of the report within 5 business days
- We will keep you informed about our progress
- We will notify you when the issue is fixed
Security fixes will be released as soon as possible, depending on the complexity of the issue. We will also:
- Tag security releases appropriately
- Document the vulnerability in our release notes
- Credit reporters (unless they wish to remain anonymous)
When working with CAPT, we recommend:
- Keep your Kubernetes clusters up to date
- Follow the principle of least privilege
- Regularly audit your configurations
- Use secure communication channels
- Monitor your clusters for suspicious activities
CAPT implements several security measures:
- Secure by default configurations
- Regular security updates
- Automated vulnerability scanning
- Code signing for releases
- Dependency vulnerability monitoring
We would like to thank the following individuals and organizations for responsibly disclosing vulnerabilities:
- [List will be updated as vulnerabilities are reported and fixed]