podman-desktop/SECURITY.md

# Security and Disclosure Information Policy for the Podman Desktop Project

This is the security policy for the Podman Desktop project. It applies to all repositories
in the [Podman Desktop GitHub organization](https://github.com/podman-desktop).

- [Reporting a Vulnerability](#Reporting-a-Vulnerability)
- [Security Announcements](#Security-Announcements)
- [Security Vulnerability Response](#Security-Vulnerability-Response)

## Reporting a Vulnerability

If you think you've identified a security issue in a Podman Desktop project,
please **DO NOT** report the issue publicly via the GitHub issue tracker,
mailing list, or chat. Instead, you have two options:

- Open a private GitHub Security Vulnerability Advisory
  ([GitHub documentation](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability)).
- Send an email with as many details as possible to
  [cncf-podman-desktop-security@lists.cncf.io](mailto:cncf-podman-desktop-security@lists.cncf.io?subject=Security%20Vulnerablity%20Report).
  This is a private mailing list for the core maintainers.

## Security Announcements

The [cncf-podman-desktop-maintainers@lists.cncf.io](mailto:cncf-podman-desktop-maintainers@lists.cncf.io) email
list is used for messages about Podman Desktop security announcements as well as general announcements and discussions.
You can join the list [here](https://lists.cncf.io/g/cncf-podman-desktop-maintainers/join)
or by sending an email to [cncf-podman-desktop-maintainers+subscribe@lists.cncf.io](mailto:cncf-podman-desktop-maintainers+subscribe@lists.cncf.io?subject=subscribe).

## Security Vulnerability Response

Each report is acknowledged and analyzed by the core maintainers within 3 working days.

Any vulnerability information shared with core maintainers stays within a Podman Desktop project
and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to an identified fix, to release planning, the core
maintainers will keep the reporter updated.
chore: update SECURITY.md Our security policy was still pointing to the policy in the containers org and needs to be updated. (e.g. disclosure should not be via the Podman security list) We have one public mailing list today that anyone can join, cncf-podman-desktop-maintainers@lists.cncf.io. We've created a second, private list for security issues: cncf-podman-desktop-security@lists.cncf.io. This PR keeps the same policy/process as the containers org, except: - asks for disclosure via our own -security list - adds GitHub security reporting as another option - announcements are done via our own -maintainers. (announcements could go elsewhere later, but it doesn't seem worth creating another list at this point) Fixes #15762. Signed-off-by: Tim deBoer <git@tdeboer.ca> 2026-01-22 17:53:52 +00:00			`# Security and Disclosure Information Policy for the Podman Desktop Project`
chore: add security policy file Change-Id: I1c878f89b54f3a6353885e8d65011c03cac28e1d Signed-off-by: Florent Benoit <fbenoit@redhat.com> 2022-11-02 09:47:07 +00:00
chore: update SECURITY.md Our security policy was still pointing to the policy in the containers org and needs to be updated. (e.g. disclosure should not be via the Podman security list) We have one public mailing list today that anyone can join, cncf-podman-desktop-maintainers@lists.cncf.io. We've created a second, private list for security issues: cncf-podman-desktop-security@lists.cncf.io. This PR keeps the same policy/process as the containers org, except: - asks for disclosure via our own -security list - adds GitHub security reporting as another option - announcements are done via our own -maintainers. (announcements could go elsewhere later, but it doesn't seem worth creating another list at this point) Fixes #15762. Signed-off-by: Tim deBoer <git@tdeboer.ca> 2026-01-22 17:53:52 +00:00			`This is the security policy for the Podman Desktop project. It applies to all repositories`
			`in the [Podman Desktop GitHub organization](https://github.com/podman-desktop).`

			`- [Reporting a Vulnerability](#Reporting-a-Vulnerability)`
			`- [Security Announcements](#Security-Announcements)`
			`- [Security Vulnerability Response](#Security-Vulnerability-Response)`

			`## Reporting a Vulnerability`

			`If you think you've identified a security issue in a Podman Desktop project,`
			`please DO NOT report the issue publicly via the GitHub issue tracker,`
			`mailing list, or chat. Instead, you have two options:`

			`- Open a private GitHub Security Vulnerability Advisory`
			`([GitHub documentation](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/report-a-vulnerability/privately-reporting-a-security-vulnerability)).`
			`- Send an email with as many details as possible to`
chore: fix typo Fix typo blindly copied from containers org. :) Signed-off-by: Tim deBoer <git@tdeboer.ca> 2026-01-23 18:59:13 +00:00			`[cncf-podman-desktop-security@lists.cncf.io](mailto:cncf-podman-desktop-security@lists.cncf.io?subject=Security%20Vulnerablity%20Report).`
chore: update SECURITY.md Our security policy was still pointing to the policy in the containers org and needs to be updated. (e.g. disclosure should not be via the Podman security list) We have one public mailing list today that anyone can join, cncf-podman-desktop-maintainers@lists.cncf.io. We've created a second, private list for security issues: cncf-podman-desktop-security@lists.cncf.io. This PR keeps the same policy/process as the containers org, except: - asks for disclosure via our own -security list - adds GitHub security reporting as another option - announcements are done via our own -maintainers. (announcements could go elsewhere later, but it doesn't seem worth creating another list at this point) Fixes #15762. Signed-off-by: Tim deBoer <git@tdeboer.ca> 2026-01-22 17:53:52 +00:00			`This is a private mailing list for the core maintainers.`

			`## Security Announcements`

			`The [cncf-podman-desktop-maintainers@lists.cncf.io](mailto:cncf-podman-desktop-maintainers@lists.cncf.io) email`
			`list is used for messages about Podman Desktop security announcements as well as general announcements and discussions.`
			`You can join the list [here](https://lists.cncf.io/g/cncf-podman-desktop-maintainers/join)`
			`or by sending an email to [cncf-podman-desktop-maintainers+subscribe@lists.cncf.io](mailto:cncf-podman-desktop-maintainers+subscribe@lists.cncf.io?subject=subscribe).`

			`## Security Vulnerability Response`

			`Each report is acknowledged and analyzed by the core maintainers within 3 working days.`

			`Any vulnerability information shared with core maintainers stays within a Podman Desktop project`
			`and will not be disseminated to other projects unless it is necessary to get the issue fixed.`

			`As the security issue moves from triage, to an identified fix, to release planning, the core`
			`maintainers will keep the reporter updated.`