To report a security problem in Kanister, please contact the maintainers listed in the MAINTAINERS.md file.
The maintainers will help diagnose the severity of the issue and determine how to address the issue. Issues deemed to be non-critical will be filed as GitHub issues. Critical issues will receive immediate attention and be fixed as quickly as possible. The maintainers will then coordinate a release date with you.
When serious security problems in Kanister are discovered and corrected, the maintainers issue a security advisory, describing the problem and containing a pointer to the fix. These will be announced on the Kanister's mailing list and websites.
Security issues are fixed as soon as possible, and the fixes are propagated to the stable branches as fast as possible. However, when a vulnerability is found during a code audit, or when several other issues are likely to be spotted and fixed in the near future, the maintainers may delay the release of a Security Advisory, so that one unique, comprehensive Security Advisory covering several vulnerabilities can be issued. Communication with vendors and other distributions shipping the same code may also cause these delays.