From 14e898a3f1223ee7bd2d4eba17a7fa2d0753a3aa Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 10 Oct 2024 16:24:07 +0900 Subject: [PATCH] SECURITY.md: remove references to security@containerd.io The list is full of spams; legit reports are often overlooked. Now vulnerabilities should be reported via GHSA forms, e.g., https://github.com/containerd/containerd/security/advisories/new Fix issue 127 Signed-off-by: Akihiro Suda --- SECURITY.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c981084..8bedb3d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,9 +2,7 @@ ## Reporting a Vulnerability -To report a containerd vulnerability, either: - -1. Report it on Github directly: +To report a containerd vulnerability: Navigate to the security tab on the repository ![Github Security Tab](./img/Security-Tab.png) @@ -15,9 +13,6 @@ To report a containerd vulnerability, either: Click on 'Report a vulnerability' ![Report a vulnerability](./img/Report-A-Vulnerability.png) -2. Send an email to `security@containerd.io` detailing the issue and steps -to reproduce. - The reporter(s) can expect a response within 24 hours acknowledging the issue was received. If a response is not received within 24 hours, please reach out to any committer directly to confirm receipt of the issue. @@ -57,7 +52,6 @@ the security announce mailing list. Indirect users who use containerd through a vendor are not expected to join, but should request their vendor join. To join the mailing list, the individual or organization must be sponsored by either a containerd committer or security advisor as well as have a record of properly -handling non-public security information. If a sponsor cannot be found, -sponsorship may be requested at `security@containerd.io`. Sponsorship should not -be requested via public channels since membership of the security announce list -is not public. +handling non-public security information. +Sponsorship should not be requested via public channels since membership of the +security announce list is not public.