Security

The Open Cluster Management (OCM) community welcomes and appreciates responsible disclosure of security vulnerabilities.

If you know of a security issue with OCM, please report it to OCM-security@googlegroups.com. The OCM project owners receive security disclosures by default. They may share disclosures with others as required to make and propagate fixes.

The OCM community security reporting process follows the Kubernetes security reporting process as standard.

Security Vulnerability Response

Each report is acknowledged and analyzed by OCM project owners within 5 working days. This will set off the Security Release Process.

Any vulnerability information shared with OCM project owners stays within the OCM community and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

Security Release Process

Refer to the Kubernetes Security Release Process for details on the security disclosures and response policy.

Last modified February 28, 2025: Add security reporting page (#253) (84c6479)