github.com/argoproj/argo-cd@v1.8.7/SECURITY.md (about)

     1  # Security Policy for Argo CD
     2  
     3  Version: **v1.0 (2020-02-26)**
     4  
     5  ## Preface
     6  
     7  As a deployment tool, Argo CD needs to have production access which makes
     8  security a very important topic. The Argoproj team takes security very
     9  seriously and is continuously working on improving it. 
    10  
    11  ## Supported Versions
    12  
    13  We currently support the most recent release (`N`, e.g. `1.8`) and the release
    14  previous to the most recent one (`N-1`, e.g. `1.7`). With the release of
    15  `N+1`, `N-1` drops out of support and `N` becomes `N-1`.
    16  
    17  We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
    18  supported versions, which will contain fixes for security vulnerabilities and
    19  important bugs. Prior releases might receive critical security fixes on a best
    20  effort basis, however, it cannot be guaranteed that security fixes get
    21  back-ported to these unsupported versions.
    22  
    23  In rare cases, where a security fix needs complex re-design of a feature or is
    24  otherwise very intrusive, and there's a workaround available, we may decide to
    25  provide a forward-fix only, e.g. to be released the next minor release, instead
    26  of releasing it within a patch branch for the currently supported releases.
    27  
    28  ## Reporting a Vulnerability
    29  
    30  If you find a security related bug in ArgoCD, we kindly ask you for responsible
    31  disclosure and for giving us appropriate time to react, analyze and develop a
    32  fix to mitigate the found security vulnerability.
    33  
    34  We will do our best to react quickly on your inquiry, and to coordinate a fix
    35  and disclosure with you. Sometimes, it might take a little longer for us to
    36  react (e.g. out of office conditions), so please bear with us in these cases.
    37  
    38  We will publish security advisiories using the Git Hub SA feature to keep our
    39  community well informed, and will credit you for your findings (unless you
    40  prefer to stay anonymous, of course).
    41  
    42  Please report vulnerabilities by e-mail to all of the following people:
    43  
    44  * jfischer@redhat.com
    45  * Jesse_Suen@intuit.com
    46  * Alexander_Matyushentsev@intuit.com
    47  * Edward_Lee@intuit.com