This document defines security reporting, handling and disclosure for the Flux Operator project.

You can privately disclose a vulnerability through GitHub's private vulnerability reporting mechanism.

You will be able to choose if you want public acknowledgement of your effort and how you would like to be credited.

Vulnerability disclosures are made public on GitHub's security advisories page.

Disclosures will contain an overview, details about the vulnerability, a fix that will typically be an update, and optionally a workaround if one is available.

Disclosures will be made public in a timely manner after a release is published that fixes the vulnerability.