Comments (9)
@akgraner would your team please add this to the next Kubeflow Security Team's meeting agenda ? thank you.
from kubeflow.
from kubeflow.
@akgraner @jbottum just following up here, did we get any updates from @psmoros?
Also, we probably need to set up a secure way for people to report issues (e.g. HackerOne, which we get free with the CNCF).
from kubeflow.
@thesuperzapper thank you for that suggestion. We are aware and are working with the CNCF to get an email address for that purpose.
from kubeflow.
@psmoros - Can you reach out to me and @juliusvonkohout via slack (akgraner) so we can set up a meeting with you an a couple other members of the security team. And can you also email us more information at [email protected] and [email protected] about the issue.
Our next security meeting is 16 January 2024. Below is the meeting information.
Join Zoom Meeting
https://us06web.zoom.us/j/87118537300?pwd=NG5ibWN0N2YxUGR5Y2NXSXRiN0FGZz09
Meeting ID: 871 1853 7300
Passcode: 273734
from kubeflow.
We are working with CNCF folks to get a policy and a reporting email in place. However, I'll see if we can get a reporting addresses sooner rather than later. Thank you.
from kubeflow.
@akgraner many security researchers oppose using email disclosures for a number of reasons:
- Encryption: emails are inherently not secure and can be intercepted
- Phishing/Leaks: allowing security researchers to send arbitrary attachments is a recipe for it to get hacked (potentially exposing all the other pending vulnerabilities)
- Tracking: it can be unclear if the project has seen the disclosure, and so when it would be appropriate to publicly disclose if no action is taken (typically 90 days)
- Verification: it makes getting payments/recognition for anonymous disclosures impossible (we can't identify who's sending)
- Access Control: Enforcing access control on the triage end is very hard
- Standardization: we can't enforce any kind of structure to the report
Most large projects either use HackerOne or GitHub's in built disclosures feature.
from kubeflow.
from kubeflow.
Thanks @akgraner will do :))
from kubeflow.
Related Issues (20)
- How to hide Artifact component from pipeline graph?
- ssl: none from centraldashboard to profiles which cause rbac access denied HOT 2
- [jupyter-web-app/backend] Error 500 when listing PodeDefaults using matchExpressions instead of matchLabels
- Maximum number of artifacts exceeded. How to aggregate artifacts from >100 ParallelFor iterations HOT 2
- Kubeflow Access Management API - is incomplete
- CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again.
- How to do container mount like '-v /path/a:/path:b' in kubeflow yaml component? HOT 1
- The pipeline running status is inconsistent with AWS Glue HOT 2
- Unable to configure a specific hostname for notebook-controller generated VirtualServices HOT 1
- profile-controller: adding contributors field
- container_component parameter check issue
- User sees shared pipelines in Private section in Central Dashboard while not being a contributor in any namespace
- Problem with google.cloud.logging and set_*_limit
- Intel GPU not in default GPU vendor list in Jupyter Notebook server HOT 2
- RStudio image ignores pod environment variables HOT 1
- [TRACKING] discussion & planning for future of `kubeflow/kubeflow` repo HOT 36
- when create profile,it need to pull image from internet,i need to switch it private registry HOT 3
- jupyter-web-app's `PodDefault` `configurations` are keyed by their label selector's key, not their name HOT 5
- Support non-Istio deployment, using Cilium support as a use case
- inferenceService can pull image directly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeflow.