The Cloud Native landscape consists of a majority of open source projects with many contributors from different backgrounds. Coordinating security disclosures haven’t been a simple process for their maintainers, and security was not always prioritized along the way. Not until long ago, many of these projects never had a clear policy on handling security reports, and security issues were left untreated or resolved only after public exposure. On the other hand, some cloud native projects, like Kubernetes, had strong disclosure guidelines from day one.
In this talk, Ariel Zelivansky will review some of the good and bad practices of handling security reports, as well as present the best practices adopted by CNCF projects.