Skip to content

Latest commit

 

History

History
88 lines (61 loc) · 4.06 KB

File metadata and controls

88 lines (61 loc) · 4.06 KB

English | 한국어 | 日本語 | 中文

Security Policy

Supported Versions

The MongoDB Operator team provides security updates for the following versions:

Version Support Status
Current series ✅ Active security support
MongoDB 8.2 ✅ Tested and supported
Kubernetes 1.26+ ✅ Tested and supported

Security updates are released as patches for supported versions. We strongly recommend keeping your operator and MongoDB clusters up-to-date to benefit from the latest security fixes.

Reporting a Vulnerability

We take security reports seriously. If you discover a security vulnerability, please report it privately to us before disclosing it publicly.

How to Report

Preferred Method: Use GitHub's private vulnerability reporting

  1. Visit https://github.com/keiailab/mongodb-operator/security/advisories
  2. Click "Report a vulnerability"
  3. Follow the prompts to submit your report

Alternative: Email us directly at security@keiailab.com

What to Include

Please include as much detail as possible:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any proof-of-concept or exploit code (if available)

Privacy

All vulnerability reports are handled with strict confidentiality. Your report will only be shared with the maintainers responsible for addressing the issue. We will not publicly disclose your identity without your permission.

Security Best Practices for Users

To secure your MongoDB deployments:

  1. Enable TLS: Always enable TLS encryption for data in transit using cert-manager integration
  2. Strong Authentication: Use SCRAM-SHA-256 with strong, unique passwords stored as Kubernetes Secrets
  3. RBAC: Configure proper Kubernetes RBAC to limit operator permissions to least privilege
  4. Network Policies: Implement network policies to restrict pod-to-pod communication
  5. Regular Updates: Keep both the operator and underlying MongoDB versions updated
  6. Backup Security: Secure backup storage credentials and enable encryption for backups
  7. Monitoring: Enable Prometheus monitoring to detect unusual activity patterns
  8. Resource Limits: Set appropriate resource limits to prevent DoS attacks

Security Features of the Operator

The MongoDB Operator includes several security features:

  • TLS Encryption: Automatic certificate management with cert-manager integration
  • Authentication: SCRAM-SHA-256 authentication for secure user access
  • Internal Auth: Keyfile-based authentication for inter-cluster communication
  • RBAC Integration: Respects Kubernetes RBAC for access control
  • Secret Management: Stores credentials securely in Kubernetes Secrets
  • Prometheus Monitoring: Export metrics for security monitoring and alerting
  • Secure Base Image: Uses distroless Docker images to minimize attack surface

Disclosure Policy

Our disclosure process follows these guidelines:

  1. Initial Response: We aim to acknowledge vulnerability reports within 48 hours
  2. Assessment: We will assess the severity and impact of the vulnerability
  3. Remediation: We will develop and test a fix for the vulnerability
  4. Coordinated Disclosure: We will work with you to determine a disclosure timeline
  5. Public Release: We will publish a security advisory and release a fix
  6. Credit: We will credit you for the discovery (with your permission)

Security Disclaimer

This project is licensed under the MIT License. As stated in the license, the software is provided "AS IS", WITHOUT WARRANTY OF ANY KIND, express or implied, including but not limited to the warranties of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, and NONINFRINGEMENT.

While we strive to maintain high security standards, you are solely responsible for determining the appropriateness of using or redistributing this project and assume any risks associated with your exercise of permissions under the license.