From 5c57cb5abdef58a0643c71b08c02b81aa89c74be Mon Sep 17 00:00:00 2001 From: Hannah Cooper Date: Thu, 12 Mar 2026 01:57:12 +0000 Subject: [PATCH] GITBOOK-34: Report a vulnerability updates --- README.md | 2 +- SUMMARY.md | 1 + contribute/contribute.md | 33 +++++++++++++------ ...ow-do-i-report-a-security-vulnerability.md | 12 +++++++ 4 files changed, 37 insertions(+), 11 deletions(-) create mode 100644 faqs/contributing/how-do-i-report-a-security-vulnerability.md diff --git a/README.md b/README.md index 4564a6dd..a91de9d6 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Community Edition, five/three nodes free and Home & Student users can get suppor * **Ask our AI bot** by clicking the **Ask AI** button in the bottom right of this documentation site. Our AI chatbot pulls from a number of sources and is a great place to start when looking for help. * **Ask questions** either in our [GitHub Discussions](https://github.com/orgs/portainer/discussions/categories/help) forum or the [community Slack channel](https://portainer.io/slack). Other platforms exist (Reddit, Discord, Stack Overflow) but we are less active in those spaces. * **Log bugs** in [GitHub Issues](https://github.com/portainer/portainer/issues) so they can be properly managed. -* **Flag vulnerabilities** by emailing [security@portainer.io](mailto:security@portainer.io) so we can deal with them immediately. +* **Report any security vulnerabilities** by emailing [security@portainer.io](mailto:security@portainer.io) or by [opening a vulnerability report in GitHub](https://github.com/portainer/portainer/security/advisories/new) so the issue can be reviewed and addressed as quickly as possible. * **Flag documentation issues** via our [GitHub documentation channel](https://github.com/portainer/portainer-docs/issues) (or start [contributing](contribute/contribute.md) and make our documentation better!). ### Business Edition Customers diff --git a/SUMMARY.md b/SUMMARY.md index a105f74a..7b24a105 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -415,6 +415,7 @@ * [How do I raise a feature request?](faqs/contributing/how-do-i-raise-a-feature-request.md) * [How do you decide which bugs and features to work on first?](faqs/contributing/how-do-you-decide-which-bugs-and-features-to-work-on-first.md) * [How do I log a Support Request?](faqs/contributing/how-do-i-log-a-support-request.md) + * [How do I report a security vulnerability?](faqs/contributing/how-do-i-report-a-security-vulnerability.md) * [Known issues](faqs/known-issues/README.md) * [Edge stacks do not support authenticating to deploy applications from private registries](faqs/known-issues/edge-stacks-do-not-support-authenticating-to-deploy-applications-from-private-registries.md) * [Known issues with VMware](faqs/known-issues/known-issues-with-vmware.md) diff --git a/contribute/contribute.md b/contribute/contribute.md index 7280e88f..02b13d51 100644 --- a/contribute/contribute.md +++ b/contribute/contribute.md @@ -12,6 +12,16 @@ The following guidelines outline our engineering workflows, please review these ## Contributing to the Portainer CE codebase +{% hint style="warning" %} +### AI assistance notice + +If you use any form of AI assistance to create your contribution - whether for code, documentation, or drafting pull request (PR) responses - it must be disclosed in your pull request description. + +Trivial assistance, like single-word auto-completion, does not require disclosure. Disclosing AI usage helps maintainers apply the correct level of scrutiny during review. + +For commits where an AI tool has significantly contributed to the code, it is recommended to add a Co-Authored-By trailer in the commit message to formally credit the tool, using the format specified by the tool's provider. +{% endhint %} + The Portainer CE codebase is available in [GitHub](https://github.com/portainer/portainer). Please follow our [build instructions](build/) and the following guidelines when making a contribution. ### Repository structure @@ -45,16 +55,6 @@ The Portainer CE codebase is available in [GitHub](https://github.com/portainer/ * **Documentation**: Update relevant docs (e.g. README, usage notes) when changing functionality. * **Scope**: Focus on well-defined features, fixes, or improvements. Large architectural changes should be discussed in an issue first. -{% hint style="warning" %} -### AI assistance notice - -If you use any form of AI assistance to create your contribution - whether for code, documentation, or drafting pull request (PR) responses - it must be disclosed in your pull request description. - -Trivial assistance, like single-word auto-completion, does not require disclosure. Disclosing AI usage helps maintainers apply the correct level of scrutiny during review. - -For commits where an AI tool has significantly contributed to the code, it is recommended to add a Co-Authored-By trailer in the commit message to formally credit the tool, using the format specified by the tool's provider. -{% endhint %} - ### Communication * For significant changes or new features, use [GitHub Discussions](https://github.com/orgs/portainer/discussions/categories/ideas) to start a discussion before starting the change. @@ -66,6 +66,19 @@ If you find a bug, [please tell us](https://github.com/portainer/portainer/issue [This article](../faqs/contributing/how-do-you-decide-which-bugs-and-features-to-work-on-first.md) covers how we prioritize bug fixes. +## Reporting security vulnerabilities + +The Portainer team takes the security of our products seriously. If you believe you have discovered a security vulnerability in any Portainer-owned repository, please report it responsibly. + +Plase do not report security vulnerabilities through public channels, including standard GitHub issues. + +Instead, report vulnerabilities using one of the following methods: + +* Email the Portainer team at [security@portainer.io](mailto:security@portainer.io) +* [Submit a private vulnerability report](https://github.com/portainer/portainer/security/advisories/new) through the relevant Portainer repository on GitHub + +These channels allow the team to review and address the issue as quickly as possible while minimizing the risk of public exposure before a fix is available. + ## Feature requests You can request new features by posting an Idea in our [GitHub Discussions](https://github.com/orgs/portainer/discussions/categories/ideas) forum. Please check to see if someone has already requested the feature you want, and give it an upvote if so. diff --git a/faqs/contributing/how-do-i-report-a-security-vulnerability.md b/faqs/contributing/how-do-i-report-a-security-vulnerability.md new file mode 100644 index 00000000..24683a8d --- /dev/null +++ b/faqs/contributing/how-do-i-report-a-security-vulnerability.md @@ -0,0 +1,12 @@ +# How do I report a security vulnerability? + +The Portainer team takes the security of our products seriously. If you believe you have discovered a security vulnerability in any Portainer-owned repository, please report it responsibly. + +Please do not report security vulnerabilities through public channels, including standard GitHub issues. + +Instead, report vulnerabilities using one of the following methods: + +* Email the Portainer team at [security@portainer.io](mailto:security@portainer.io) +* ​[Submit a private vulnerability report](https://github.com/portainer/portainer/security/advisories/new) through the relevant Portainer repository on GitHub + +These channels allow the team to review and address the issue as quickly as possible while minimizing the risk of public exposure before a fix is available.