kro-ui is pre-1.0 software. Security fixes are applied to the latest release only. There are no backport branches at this time.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please report vulnerabilities via GitHub Security Advisories.

You will receive an acknowledgement within 48 hours and a detailed response within 7 days indicating next steps.

• Description of the vulnerability
• Steps to reproduce (or a proof-of-concept)
• Impact assessment (what an attacker could achieve)
• Any suggested fix, if you have one

kro-ui is a read-only observability tool. It never issues mutating Kubernetes API calls (create, update, patch, delete). The primary attack surface is:

• The HTTP server (port 40107) — served content, API responses
• Kubeconfig handling — file paths, context switching
• Embedded frontend — XSS via cluster data rendered in the UI
• Container image — base image vulnerabilities, supply chain

We follow coordinated disclosure:

1. Reporter submits via GitHub Security Advisory
2. We acknowledge within 48 hours
3. We develop and test a fix (target: 14 days for critical, 30 days for others)
4. We release the fix and publish the advisory
5. Reporter may publish details 30 days after the fix is released

• Dependency scanning: Dependabot monitors Go modules, npm packages, and GitHub Actions for known vulnerabilities
• Code scanning: CodeQL runs on every PR and weekly on main
• Go vulnerability checking: govulncheck runs in CI on every PR
• Container scanning: Trivy scans the Docker image on every PR and release
• Minimal runtime image: Production container uses distroless/static:nonroot (no shell, no package manager, non-root user)
• RBAC enforcement: kro-ui never issues mutating Kubernetes API calls; only get, list, and watch verbs are used