Security-related matters (including suspected vulnerabilities in SecureBuild itself—the build pipeline, worker, proxies, admin app, or this repository) can be reported by email to:
Please include a clear description of the issue and steps to reproduce if possible. We will acknowledge receipt and work with you on next steps.
SecureBuild builds and distributes third-party applications from upstream open source projects. If you discover a new security vulnerability in an upstream application (e.g. in the application’s own code or dependencies), please report it to that project’s maintainers using their security policy or disclosure process. Do not report upstream application vulnerabilities only to SecureBuild; the upstream project needs to be notified so they can fix and disclose appropriately.
For vulnerabilities that affect how SecureBuild builds or serves those applications (e.g. build isolation, signing, or our infrastructure), report to security@replicated.com as above.
- We will acknowledge your report and, where appropriate, work with you to understand and address the issue.
- We may ask for additional details or clarification.
- We will keep you updated on the status of the report and any fix or disclosure, consistent with responsible disclosure practices.
Thank you for helping keep SecureBuild and its users secure.