We release security fixes for the latest minor version only. If you are running an older version, please upgrade before reporting.
| Version | Supported |
|---|---|
Latest minor (see helm/Chart.yaml) |
✅ Yes |
| Older releases | ❌ No — please upgrade |
Please do not report security vulnerabilities through public GitHub Issues.
If you believe you have found a security vulnerability in RCA Operator, please report it privately so we can address it before it is publicly known.
Send an email to security@rca-operator.tech with the following information:
- Summary — a brief description of the vulnerability
- Severity — your assessment (Critical / High / Medium / Low)
- Affected versions — which versions are affected
- Steps to reproduce — a minimal, clear reproduction path
- Impact — what an attacker could achieve by exploiting this
- Suggested fix — optional, but appreciated
You can also use GitHub's private vulnerability reporting if you prefer to stay within GitHub.
| Timeline | What happens |
|---|---|
| Within 48 hours | We acknowledge receipt of your report |
| Within 7 days | We confirm whether the issue is a vulnerability and assign a severity |
| Within 30 days | We aim to have a fix ready for confirmed vulnerabilities |
| On release | We credit you in the security advisory (unless you prefer anonymity) |
We will keep you informed throughout the process. If you do not hear back within 48 hours, please follow up — our email may have missed you.
We follow coordinated disclosure:
- You report privately to us.
- We investigate and develop a fix.
- We release the fix and publish a GitHub Security Advisory.
- You may then disclose publicly (we ask for a minimum of 30 days from initial report, or on fix release — whichever comes first).
We will never ask you to delay disclosure indefinitely. If we cannot fix the issue within 90 days, we will coordinate with you on a reasonable disclosure timeline regardless.
- RCA Operator controller — anything in
cmd/orinternal/ - CRD definitions —
api/v1alpha1/ - Helm chart —
helm/ - RBAC manifests —
config/rbac/ - Official Docker images — published at
ghcr.io/gaurangkudale/rca-operator
- Vulnerabilities in third-party dependencies (please report these upstream; we will bump the dependency on our end)
- Findings from automated scanners with no demonstrated impact
- Issues requiring physical access to infrastructure
- Social engineering of maintainers or contributors
The RCA Operator is designed with a minimal-privilege model:
- Read-only cluster access by default. The operator's
ClusterRoleonly requestsget,list, andwatchon pods, events, nodes, and deployments. It writes only to its own CRDs. - Secrets are never logged. Notification credentials (Slack webhooks, PagerDuty keys) are read from Kubernetes Secrets at runtime and never appear in logs or events.
- No network egress beyond configured endpoints. The operator only makes outbound calls to the Slack webhook URL and PagerDuty API endpoint you configure. No telemetry is sent home.
- No shell execution. The operator does not exec into pods or run arbitrary commands.
If you believe any of these properties are violated, that is almost certainly a vulnerability — please report it.
- The in-memory incident correlation window does not persist across restarts. If the operator restarts mid-incident, transient engine state is lost. This is a known trade-off, not a security issue.
- The operator does not currently validate the contents of Slack webhook URLs — it trusts that the secret you provide is correct.
Thank you for helping keep RCA Operator and its users safe.