We release patches for security vulnerabilities in the following versions:

We take the security of our Helm charts seriously. If you believe you have found a security vulnerability in any of our charts, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: [email protected]

Please include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: You should receive an acknowledgment within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Updates: We will keep you informed about the progress toward a fix and announcement
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

1. The security report is received and assigned to a maintainer
2. The problem is confirmed and affected versions are determined
3. Code is audited to find any similar problems
4. Fixes are prepared for all supported versions
5. New versions are released and announcements are made

When using our Helm charts:

Always use the latest chart versions to ensure you have the latest security patches:

helm repo update
helm upgrade <release-name> codefuturist/<chart-name>

• Never commit sensitive data (passwords, tokens, keys) to values files
• Use Kubernetes Secrets or external secret management tools
• Review all exposed services and ingress configurations

When possible, specify image digests instead of tags for immutability:

image:
  repository: myapp
  digest: sha256:abc123...

Configure security contexts, pod security policies/standards, and network policies:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true

Regularly scan container images for vulnerabilities using tools like:

• Trivy
• Clair
• Anchore

Enable network policies to restrict pod-to-pod communication:

networkPolicy:
  enabled: true

Use minimal RBAC permissions required for your application.

Our charts support multiple secret management approaches:

• Kubernetes native secrets
• Sealed Secrets
• External Secrets Operator
• Azure Key Vault CSI Driver

Choose the method appropriate for your security requirements.

By default, services are not exposed externally. When enabling ingress:

• Always use TLS/HTTPS
• Configure proper authentication
• Review ingress annotations for security implications

• Day 0: Vulnerability reported
• Day 1-7: Maintainers assess and confirm the vulnerability
• Day 7-14: Fix is developed and tested
• Day 14-21: Fix is released and security advisory published
• Day 21+: Public disclosure (after users have time to update)

Published security advisories can be found at:

• GitHub Security Advisories: https://github.com/codefuturist/helm-charts/security/advisories
• Release Notes: https://github.com/codefuturist/helm-charts/releases

• Kubernetes Security Best Practices
• Helm Security Best Practices
• OWASP Kubernetes Security Cheat Sheet

For security-related questions or concerns, contact: [email protected]

Thank you for helping keep our Helm charts and users secure!