The ngrok Kubernetes Operator team takes security vulnerabilities seriously. We appreciate responsible disclosure and will work with you to investigate and address any issues.
Please do not report security vulnerabilities through public GitHub issues.
To report a security vulnerability, please use the GitHub Security Advisory feature. This allows you to report the issue privately to the maintainers.
Alternatively, you may email [email protected] with:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact of the vulnerability
- Any suggested mitigations, if known
- Acknowledgement: We will acknowledge receipt of your report within 3 business days.
- Assessment: We will investigate and confirm whether the report describes a genuine vulnerability within 10 business days.
- Resolution: Once confirmed, we will work on a fix and coordinate a disclosure timeline with you.
- Credit: We are happy to credit reporters in release notes and advisories, unless you prefer to remain anonymous.
We ask that you:
- Give us reasonable time to address the issue before any public disclosure.
- Avoid accessing or modifying other users' data during your research.
- Act in good faith to avoid privacy violations, data destruction, or service disruption.
Security fixes are applied to the latest release of the ngrok Kubernetes Operator. We encourage all users to stay on the most recent version.
| Version | Supported |
|---|---|
| Latest (0.x) | ✅ |
| Older releases | ❌ |
Since the operator is currently pre-1.0.0, only the most recent release branch receives security updates. Users are encouraged to upgrade promptly when new releases are available.
This security policy applies to vulnerabilities in the ngrok Kubernetes Operator itself, including:
- The operator controller and reconciliation logic
- Helm chart configuration and defaults
- CRD definitions and admission webhooks
- Container images published to the ngrok container registry
- Vulnerabilities in the ngrok platform or ngrok agent itself — please report those via ngrok's security disclosure process
- Vulnerabilities in third-party dependencies — please report those to the relevant upstream projects
- Scanner output that has not been independently verified as exploitable in the context of this operator
- Issues in older, unsupported versions of the operator
To stay informed about security updates and advisories:
- Watch this repository for security advisories
- Monitor the GitHub releases page for security-related releases
When a vulnerability is confirmed, we follow coordinated disclosure:
- A patch is prepared in a private fork or branch.
- A GitHub Security Advisory is drafted with CVE assignment requested if applicable.
- The fix is released and the advisory is published simultaneously.
- Release notes will reference the advisory.
We aim to disclose vulnerabilities within 90 days of the initial report, in line with common industry standards.