The MongoDB Operator team provides security updates for the following versions:
| Version | Support Status |
|---|---|
| Current series | ✅ Active security support |
| MongoDB 8.2 | ✅ Tested and supported |
| Kubernetes 1.26+ | ✅ Tested and supported |
Security updates are released as patches for supported versions. We strongly recommend keeping your operator and MongoDB clusters up-to-date to benefit from the latest security fixes.
We take security reports seriously. If you discover a security vulnerability, please report it privately to us before disclosing it publicly.
Preferred Method: Use GitHub's private vulnerability reporting
- Visit https://github.com/keiailab/mongodb-operator/security/advisories
- Click "Report a vulnerability"
- Follow the prompts to submit your report
Alternative: Email us directly at security@keiailab.com
Please include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any proof-of-concept or exploit code (if available)
All vulnerability reports are handled with strict confidentiality. Your report will only be shared with the maintainers responsible for addressing the issue. We will not publicly disclose your identity without your permission.
To secure your MongoDB deployments:
- Enable TLS: Always enable TLS encryption for data in transit using cert-manager integration
- Strong Authentication: Use SCRAM-SHA-256 with strong, unique passwords stored as Kubernetes Secrets
- RBAC: Configure proper Kubernetes RBAC to limit operator permissions to least privilege
- Network Policies: Implement network policies to restrict pod-to-pod communication
- Regular Updates: Keep both the operator and underlying MongoDB versions updated
- Backup Security: Secure backup storage credentials and enable encryption for backups
- Monitoring: Enable Prometheus monitoring to detect unusual activity patterns
- Resource Limits: Set appropriate resource limits to prevent DoS attacks
The MongoDB Operator includes several security features:
- TLS Encryption: Automatic certificate management with cert-manager integration
- Authentication: SCRAM-SHA-256 authentication for secure user access
- Internal Auth: Keyfile-based authentication for inter-cluster communication
- RBAC Integration: Respects Kubernetes RBAC for access control
- Secret Management: Stores credentials securely in Kubernetes Secrets
- Prometheus Monitoring: Export metrics for security monitoring and alerting
- Secure Base Image: Uses distroless Docker images to minimize attack surface
Our disclosure process follows these guidelines:
- Initial Response: We aim to acknowledge vulnerability reports within 48 hours
- Assessment: We will assess the severity and impact of the vulnerability
- Remediation: We will develop and test a fix for the vulnerability
- Coordinated Disclosure: We will work with you to determine a disclosure timeline
- Public Release: We will publish a security advisory and release a fix
- Credit: We will credit you for the discovery (with your permission)
This project is licensed under the MIT License. As stated in the license, the software is provided "AS IS", WITHOUT WARRANTY OF ANY KIND, express or implied, including but not limited to the warranties of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, and NONINFRINGEMENT.
While we strive to maintain high security standards, you are solely responsible for determining the appropriateness of using or redistributing this project and assume any risks associated with your exercise of permissions under the license.