github.com/argoproj/argo-cd/v2@v2.10.9/SECURITY.md (about)

     1  # Security Policy for Argo CD
     2  
     3  Version: **v1.5 (2023-03-06)**
     4  
     5  ## Preface
     6  
     7  As a deployment tool, Argo CD needs to have production access which makes
     8  security a very important topic. The Argoproj team takes security very
     9  seriously and is continuously working on improving it.
    10  
    11  ## A word about security scanners
    12  
    13  Many organisations these days employ security scanners to validate their
    14  container images before letting them on their clusters, and that is a good
    15  thing. However, the quality and results of these scanners vary greatly,
    16  many of them produce false positives and require people to look at the
    17  issues reported and validate them for correctness. A great example of that
    18  is, that some scanners report kernel vulnerabilities for container images
    19  just because they are derived from some distribution.
    20  
    21  We kindly ask you to not raise issues or contact us regarding any issues
    22  that are found by your security scanner. Many of those produce a lot of false
    23  positives, and many of these issues don't affect Argo CD. We do have scanners
    24  in place for our code, dependencies and container images that we publish. We
    25  are well aware of the issues that may affect Argo CD and are constantly
    26  working on the remediation of those that affect Argo CD and our users.
    27  
    28  If you believe that we might have missed an issue that we should take a look
    29  at (that can happen), then please discuss it with us. If there is a CVE
    30  assigned to the issue, please do open an issue on our GitHub tracker instead
    31  of writing to the security contact e-mail, since things reported by scanners
    32  are public already and the discussion that might emerge is of benefit to the
    33  general community. However, please validate your scanner results and its
    34  impact on Argo CD before opening an issue at least roughly.
    35  
    36  ## Supported Versions
    37  
    38  We currently support the last 3 minor versions of Argo CD with security and bug fixes.
    39  
    40  We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
    41  supported versions, which will contain fixes for security vulnerabilities and
    42  important bugs. Prior releases might receive critical security fixes on best
    43  effort basis, however, it cannot be guaranteed that security fixes get
    44  back-ported to these unsupported versions.
    45  
    46  In rare cases, where a security fix needs complex re-design of a feature or is
    47  otherwise very intrusive, and there's a workaround available, we may decide to
    48  provide a forward-fix only, e.g. to be released the next minor release, instead
    49  of releasing it within a patch branch for the currently supported releases.
    50  
    51  ## Reporting a Vulnerability
    52  
    53  If you find a security related bug in Argo CD, we kindly ask you for responsible
    54  disclosure and for giving us appropriate time to react, analyze and develop a
    55  fix to mitigate the found security vulnerability.
    56  
    57  We will do our best to react quickly on your inquiry, and to coordinate a fix
    58  and disclosure with you. Sometimes, it might take a little longer for us to
    59  react (e.g. out of office conditions), so please bear with us in these cases.
    60  
    61  We will publish security advisories using the
    62  [GitHub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
    63  feature to keep our community well-informed, and will credit you for your
    64  findings (unless you prefer to stay anonymous, of course).
    65  
    66  There are two ways to report a vulnerability to the Argo CD team:
    67  
    68  * By opening a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
    69  * By e-mail to the following address: cncf-argo-security@lists.cncf.io
    70  
    71  ## Internet Bug Bounty collaboration
    72  
    73  We're happy to announce that the Argo project is collaborating with the great
    74  folks over at
    75  [Hacker One](https://hackerone.com/) and their
    76  [Internet Bug Bounty program](https://hackerone.com/ibb)
    77  to reward the awesome people who find security vulnerabilities in the four
    78  main Argo projects (CD, Events, Rollouts and Workflows) and then work with
    79  us to fix and disclose them in a responsible manner.
    80  
    81  If you report a vulnerability to us as outlined in this security policy, we
    82  will work together with you to find out whether your finding is eligible for
    83  claiming a bounty, and also on how to claim it.
    84  
    85  ## Securing your Argo CD Instance
    86  
    87  See the [operator manual security page](docs/operator-manual/security.md) for
    88  additional information about Argo CD's security features and how to make your
    89  Argo CD production ready.