Please do not open a public GitHub issue for security-sensitive reports.
Use GitHub's private vulnerability reporting instead. It opens a private channel between you and the maintainers, with a clear audit trail and the option to coordinate a CVE / advisory once a fix is ready.
We aim to acknowledge new reports within 3 working days and to ship a fix or mitigation within 30 days for confirmed vulnerabilities. Severity, scope, and complexity may stretch that window — we'll keep you posted on the advisory thread.
In scope:
- The
x509-certificate-exporterbinary and any code undercmd/,pkg/,internal/. - The Helm chart under
chart/(templates, default values, RBAC, security contexts). - Container images published to
ghcr.io/enix,quay.io/enix, anddocker.io/enix. - The release supply chain (GitHub Actions workflows, Sigstore signatures, SLSA provenance, SBOMs).
Out of scope:
- Issues affecting only the
dev/andtest/directories (development tooling, e2e fixtures). - Vulnerabilities in upstream dependencies — please report those to the upstream project. We track advisories via Renovate and govulncheck and will pick them up.
Every release ships with cosign keyless signatures, SLSA Build
Level 3 build provenance, and a CycloneDX SBOM. Verification recipes
are documented in docs/hardening.md.