We will disclose fixes for vulnerabilities in our Release Notes.
To receive update warnings please watch the vCluster repo and the Loft repo, and review our release notes on a regular basis.
Please report vulnerabilities to: security@vcluster.com
We do not have a bug bounty program, and we do not offer any reward for findings. However, we would be happy to provide attribution if a CVE is confirmed.
When reporting a vulnerability:
- Ensure they impact a supported version of vCluster or the Platform
- Do report any vulnerability affecting the vCluster ecosystem
- Do treat all information as confidential unless otherwise agreed upon by both parties
- Do not create low-effort or AI-generated security reports, these will be ignored
- Do not report CVEs found by vulnerability scanners, those should be reported to the appropriate project
- Do not report bugs or ask general questions about the product
Please include the following information in your report:
- Version of products used
- Issue and impact
- Steps to reproduce
- Link to code if available