We provide security fixes for the latest released version of HelmForge-maintained artifacts, including Helm charts, utility container images, MCP packages, and documentation/runtime tooling.
Older versions are not actively maintained unless a maintainer explicitly marks a release line as supported in the affected repository.
If you discover a security vulnerability in any HelmForge repository or published artifact, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, use one of the following methods:
- GitHub Security Advisories / Private Vulnerability Reporting (preferred): use the affected repository's Security tab when available.
- Charts repository advisory: for chart issues, report a vulnerability in
helmforgedev/charts. - Email: berlofa@helmforge.dev or maicon.berloffa@gmail.com
If you are unsure which repository is affected, use email and include as much context as possible. Maintainers will route the report to the right repository.
- Affected repository or artifact
- Chart, package, image, or version affected
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
- Acknowledgment: within 72 hours
- Initial assessment: within 7 days
- Fix or mitigation: best effort, typically within 30 days depending on severity
This organization-wide policy covers vulnerabilities in HelmForge-maintained repositories and artifacts, including:
- Helm chart templates and default configurations
- Utility images and Docker packaging maintained by HelmForge
- MCP server, MCP tool packages, resources, prompts, and validation logic
- CI/CD workflows, release automation, and repository metadata
- Default
values.yamlsettings that introduce security risks
This policy does not cover:
- Vulnerabilities in upstream application images (report those to the upstream project)
- Misconfiguration by end users in their own
values.yamloverrides - Infrastructure or cluster-level security issues
When deploying HelmForge charts in production:
- Always pin chart versions (
--version) - Review
values.yamldefaults before deploying - Use
securityContextandpodSecurityContextsettings provided by each chart - Enable network policies where your cluster supports them
- Use TLS for ingress endpoints
- Rotate credentials and secrets regularly
When using HelmForge utility images or MCP packages:
- Pin image tags and package versions
- Review runtime permissions, mounted credentials, and network access
- Keep dependencies updated through the published release process