Security vulnerabilities

Security vulnerabilities

Review how the K8sGateway project handles the lifecycle of Common Vulnerability and Exposures (CVEs).

Reports

The K8sGateway project appreciates the efforts of our users in helping us to discover and resolve security vulnerabilities. The following sources are used to determine product exposure to CVEs:

  • The K8sGateway team scans K8sGateway components to detect vulnerabilities.
  • The K8sGateway team participates in early disclosure and security workgroups of multiple upstream communities.
  • Users may share output from their own security scanning tools for analysis and response from the K8sGateway team.

πŸ“¨ Where to report

To report a security vulnerability, email the private Google group [email protected].

βœ… When to send a report

Send a report when:

  • You discover that a K8sGateway component has a potential security vulnerability.
  • You are unsure whether or how a vulnerability affects K8sGateway.

πŸ”” Check before sending

If in doubt, send a private message about potential vulnerabilities such as:

  • Any crash, especially in Envoy.
  • Any potential Denial of Service (DoS) attack.

❌ When NOT to send a report

Do not send a report for vulnerabilities that are not part of the K8sGateway project, such as:

  • You want help configuring K8sGateway components for security purposes.
  • You want help applying security related updates to your K8sGateway configuration or environment.
  • Your issue is not related to security vulnerabilities.
  • Your issue is related to base image dependencies, such as Envoy.

Evaluation

The K8sGateway team evaluates vulnerability reports for:

  • Severity level, which can affect the priority of the fix
  • Impact of the vulnerability on K8sGateway code as opposed to upstream code
  • Potential dependencies on third-party or upstream code that might delay the remediation process

The K8sGateway team strives to keep private any vulnerability information with us as part of the remediation process. We only share information on a need-to-know basis to address the issue.

Remediation

Remediation of a CVE involves introducing a fix to the affected code and releasing the associated component. This development process might happen in private GitHub repositories to keep information secure and prevent broader exploitation of the vulnerability.

Disclosures

The K8sGateway team discloses remediated vulnerabilities publicly. Additionally, you can join an early disclosure group to help address vulnerabilities earlier in the remediation process.

Public disclosure

On the day for the remediation to be disclosed, the K8sGateway team takes steps that might include the following:

  • Merge changes from any private repositories into the public codebase
  • Share security scan results for product images
  • Publish a release and any corresponding documentation for mitigating the vulnerability
  • Announce the remediated vulnerability in a public channel such as email or Slack

Early disclosure

You can join a distribution list to get early disclosures of security vulnerability. This way, you can take action earlier in the process to help remediate the vulnerability and mitigate its effects in your environments.

To request membership in the early disclosure group, email the private Google group [email protected]. In your request, indicate how you meet the following membership criteria.

Membership criteria

  1. Contribute significantly to the K8sGateway project, such as by being a maintainer, release manager, or active feature developer.
  2. Use K8sGateway in a way that justifies early disclosure of security vulnerabilities, such as redistributing K8sGateway or providing K8sGateway to many users outside your own organization.
  3. Monitor the email that you provide for the early disclosure distribution list.
  4. Participate in and attend meetings of the security working group.
  5. Keep any information from the distribution list private and on a need-to-know basis. Information is only for purposes of remediating the vulnerability. If you share information beyond the scope of this policy, you must notify the distribution list, including details of what information was shared when and to whom, so the K8sGateway team can assess how to proceed.

Membership removal

You must actively meet the membership criteria to remain part of the early disclosure distribution list. If your organization stops meeting one or more of these criteria, you can be removed from the distribution list.

Other membership notes

Membership in the Envoy security group is a separate process. Because K8sGateway integrates closely with the Envoy project, you might also consider joining the Envoy early disclosure group. Even if not, you are still expected to abide by their embargo policy when a K8sGateway vulnerability relates to the Envoy project.

Updates and questions

The K8sGateway team reserves the right to change this process. The K8sGateway team’s security processes are reviewed regularly to ensure compliance with industry standards and the current security landscape. For questions or additional details, email the private Google group [email protected].