# Weave GitOps Security This document defines security reporting, handling and disclosure information for the Weave GitOps project and community. ## Security Process ### Report a Vulnerability We're very thankful for – and if desired happy to credit – security researchers and users who report vulnerabilities to the Weave GitOps community. - To make a report please email the private security list at with the details. We ask that reporters act in good faith by not disclosing the issue to others. - The Security Team will investigate the issue as soon as possible and where needed, coordinate a release date with relevant parties. - You will be able to choose if you want public acknowledgement of your effort and how you would like to be credited. - Please note that we do not run a bug bounty program and therefore no financial compensation should be expected when reporting a vulnerability. ### Security Team Our Security Team consists of project maintainers and Weaveworks employees. ### Handling - All reports are thoroughly investigated by the Security Team. - Any vulnerability information shared with the Security Team will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis. - As the security issue moves through the identification and resolution process, the reporter will be notified. - Additional questions about the vulnerability may also be asked of the reporter. ### Disclosures Vulnerability disclosures are announced publicly through our [security advisories](https://github.com/weaveworks/weave-gitops/security/advisories). Disclosures will contain an overview, details about the vulnerability, a fix that will typically be an update, and optionally a workaround if one is available. We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users. We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available. Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.