KServe actively maintains and provides security updates for the latest major release and the preceding major release. Users are encouraged to stay updated with the latest releases to benefit from security patches and improvements.

We strongly encourage you to report security vulnerabilities privately, before disclosing them in any public forums. Only the active maintainers and KServe security group members will receive the reported security vulnerabilities and the issues are treated as top priority.

You can use the following ways to report security vulnerabilities privately:

• Using the KServe repository GitHub Security Advisory.
• Using our private security mailing list: [email protected].

Please provide detailed information to help us understand and address the issue promptly.

Acknowledgment: We will acknowledge receipt of your report within 5 business days.

Assessment: The security team will investigate the reported issue to determine its validity and severity.

Resolution: If the issue is confirmed, we will work on a fix and prepare a release.

Notification: Once a fix is available, we will notify the reporter and coordinate a public disclosure.

Public Disclosure: Details of the vulnerability and the fix will be published in the project's release notes and communicated through appropriate channels.

KServe employs several measures to prevent security issues:

Code Reviews: All code changes are reviewed by maintainers to ensure code quality and security.

Dependency Management: Regular updates and monitoring of dependencies to address known vulnerabilities.

Continuous Integration: Automated testing and security checks are integrated into the CI/CD pipeline.

Image Scanning: Container images are scanned for vulnerabilities.

Static Analysis: Static code analysis tools are used to identify potential security issues in the codebase.

For general questions and discussions, please use the following channels:

Slack: Join the KServe Slack channel for real-time communication.

GitHub Discussions: https://github.com/kserve/kserve/discussions

Please do not report security vulnerabilities through public channels. Use the private email address provided above to ensure responsible disclosure.