The kcp maintainers take security for kcp very seriously, especially given kcp's sensitive nature as an API control plane.

kcp uses GitHub to allow submission of private security reports. Please report any security finding via this link or send a direct email to [email protected]. Maintainers will triage your report as soon as possible and get in touch with you via your report or via email in case they have more questions.

As a security researcher, please report vulnerabilities to kcp in a coordinated vulnerability disclosure fashion. In return, maintainers pledge to engage in good faith and collaborate with security researchers to address and publish vulnerabilities found in kcp as soon as possible.

Please understand that the maintainers also do not accept results of dependency scanners without proof that the detected CVE / vulnerability can be used against kcp.

Advisories are managed through GitHub. Public disclosure of vulnerabilities happens through GitHub and the kcp-users mailing list. Please visit Security Advisories to review security bulletins published by the maintainers.