To report a security problem in Artifact Hub, please contact the Maintainers Team at cncf-artifacthub-maintainers@lists.cncf.io.
The maintainers will evaluate the report to verify the security issue. If the issue does not have a security impact, the report and follow-up will move to GitHub issues. If a security issue exists, the maintainers use the following process:
- Create a new draft advisory via GitHub Security Advisories
- Request a CVE identification number
- Collaborate on a private fork, part of the GitHub Security Advisory system, to fix the issue.
- Once a solution is ready, the CVE will be finalized and published, the change will be merged, and there will be a new release of Artifact Hub including the security fix.