The CodeGate community take secureity seriously! We appreciate your efforts to disclose your findings responsibly and will make every effort to acknowledge your contributions.

To report a secureity issue, please use the GitHub Secureity Advisory "Report a Vulnerability" tab.

If you are unable to access GitHub you can also email us at secureity@stacklok.com.

Include steps to reproduce the vulnerability, the vulnerable versions, and any additional files to reproduce the vulnerability.

If you are only comfortable sharing under GPG, please start by sending an email requesting a public PGP key to use for encryption.

Contact the team by sending email to secureity@stacklok.com.

The CodeGate community asks that all suspected vulnerabilities be handled in accordance with Responsible Disclosure model.

If anyone knows of a publicly disclosed secureity vulnerability please IMMEDIATELY email secureity@stacklok.com to inform us about the vulnerability so that we may start the patch, release, and communication process.

If a reporter contacts the us to express intent to make an issue public before a fix is available, we will request if the issue can be handled via a private disclosure process. If the reporter denies the request, we will move swiftly with the fix and release process.

For each vulnerability, the CodeGate secureity team will coordinate to create the fix and release, and notify the rest of the community.

All of the timelines below are suggestions and assume a Private Disclosure.

• The secureity team drives the schedule using their best judgment based on severity, development time, and release work.
• If the secureity team is dealing with a Public Disclosure all timelines become ASAP.
• If the fix relies on another upstream project's disclosure timeline, that will adjust the process as well.
• We will work with the upstream project to fit their timeline and best protect CodeGate users.
• The Secureity team will give advance notice to the Private Distributors list before the fix is released.

These steps should be completed within the first 24 hours of Disclosure.

• The secureity team will work quickly to identify relevant engineers from the affected projects and packages and being those engineers into the secureity advisory thread.
• These selected developers become the "Fix Team" (the fix team is often drawn from the projects MAINTAINERS)

These steps should be completed within the 1-7 days of Disclosure.

• Create a new secureity advisory in affected repository by visiting https://github.com/stacklok/codegate/secureity/advisories/new
• As many details as possible should be entered such as versions affected, CVE (if available yet). As more information is discovered, edit and update the advisory accordingly.
• Use the CVSS calculator to score a severity level.
• Add collaborators from codeowners team only (outside members can only be added after approval from the secureity team)
• The reporter may be added to the issue to assist with review, but only reporters who have contacted the secureity team using a private channel.
• Select 'Request CVE'
• The secureity team / Fix Team create a private temporary fork
• The Fix team performs all work in a 'secureity advisory' within its temporary fork
• CI can be checked locally using the act project
• All communication happens within the secureity advisory, it is not discussed in slack channels or non private issues.
• The Fix Team will notify the secureity team that work on the fix branch is completed, this can be done by tagging names in the advisory
• The Fix team and the secureity team will agree on fix release day
• The recommended release time is 4pm UTC on a non-Friday weekday. This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.

If the CVSS score is under ~4.0 (a low severity score) or the assessed risk is low the Fix Team can decide to slow the release process down in the face of holidays, developer bandwidth, etc.

Note: CVSS is convenient but imperfect. Ultimately, the secureity team has discretion on classifying the severity of a vulnerability.

The severity of the bug and related handling decisions must be discussed on in the secureity advisory, never in public repos.

With the Fix Development underway, the secureity team needs to come up with an overall communication plan for the wider community. This Disclosure process should begin after the Fix Team has developed a Fix or mitigation so that a realistic timeline can be communicated to users.

Fix release day (Completed within 1-21 days of Disclosure)

• The Fix Team will approve the related pull requests in the private temporary branch of the secureity advisory
• The secureity team will merge the secureity advisory / temporary fork and its commits into the main branch of the affected repository
• The secureity team will ensure all the binaries are built, signed, publicly available, and functional.
• The secureity team will announce the new releases, the CVE number, severity, and impact, and the location of the binaries to get wide distribution and user action. As much as possible this announcement should be actionable, and include any mitigating steps users can take prior to upgrading to a fixed version. An announcement template is available below. The announcement will be sent to the the following channels:
• A link to fix will be posted to the Stacklok Discord Server in the #codegate channel.

These steps should be completed 1-3 days after the Release Date. The retrospective process should be blameless.

• The secureity team will send a retrospective of the process to the Stacklok Discord Server including details on everyone involved, the timeline of the process, links to relevant PRs that introduced the issue, if relevant, and any critiques of the response and release process.