From c6a55c76f1b2d9c67ba2da886c56750e39261101 Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Mon, 3 Jul 2023 09:13:13 -0400 Subject: [PATCH] Update content/en/news/security-bulletins/_index.md Co-authored-by: Jay Shaughnessy --- content/en/news/security-bulletins/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/news/security-bulletins/_index.md b/content/en/news/security-bulletins/_index.md index cd21313dd..9ad907307 100644 --- a/content/en/news/security-bulletins/_index.md +++ b/content/en/news/security-bulletins/_index.md @@ -9,7 +9,7 @@ weight: 2 {{% alert color="info" %}} NOTE: Kiali takes security seriously and encourages users to report security concerns. -If you run a security scan on Kiali software and would like to report a security scan report to the Kiali team, we only ask that you first verify that your scan is correctly validating the latest release and that the results are valid. Because the Kiali team takes security reports seriously, they often take priority over current work being done, and it takes the Kiali team a long time to research and validate them. So please make sure you verify that any reports you submit are reporting an accurate reflection of the Kiali software being scanned and that the security issues being reported actually affect Kiali or one of its dependencies. +If you run a security scan on Kiali software and would like to report a security scan report to the Kiali team, we only ask that you first verify that your scan is correctly validating the latest release and that the results are valid. Security report investigation often takes priority over scheduled work and can be time consuming for the Kiali maintainers to research and validate. So, please verify that your submitted report accurately reflects the Kiali software being scanned, and that the reported security issue(s) actually affect Kiali or one of its dependencies. {{% /alert %}} Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below: