Security fixes are applied to the latest release on main.
| Version | Supported |
|---|---|
Latest main |
✅ |
| Older releases | ❌ |
Please do not report security vulnerabilities in public GitHub issues.
Maintainer roles and sensitive-resource access are documented in MAINTAINERS.md.
Use GitHub's private vulnerability reporting:
- Repository security page: github.com/pvc-explorer-operator/pvc-explorer/security
- Private report form: github.com/pvc-explorer-operator/pvc-explorer/security/advisories/new
- Published advisories: github.com/pvc-explorer-operator/pvc-explorer/security/advisories
- Go to the repository's Security tab
- Click Report a vulnerability
- Provide reproduction steps and impact details
If private reporting is unavailable, contact maintainers via GitHub private message.
We will acknowledge receipt within 72 hours and provide a status update as triage progresses.
- We confirm the issue and assess severity
- We prepare and test a fix
- We coordinate a release
- We publish an advisory with mitigation details
This repository must not store real secrets or credentials in version control.
Policy:
- Do not commit tokens, passwords, API keys, kubeconfigs, private keys, or session secrets.
- Use placeholders or mock values for examples and local development fixtures.
- Keep operational secrets in environment variables, GitHub secrets, or Kubernetes Secrets, not in tracked files.
Automated enforcement:
- CI runs automated secret scanning on pull requests and pushes to
main. - Pull requests that introduce suspected secrets must be fixed before merge.
- If a scan reports a false positive, update the scanner allowlist with a narrow, file-specific exception and explain why it is safe.