Vulnerability Reporting

Reporting a Vulnerability

Report security vulnerabilities privately to security@kubermatic.com.

Do not disclose vulnerabilities publicly until a fix is released and disclosure timing is coordinated.

Please include:

Description and potential impact
Steps to reproduce
Affected versions
Suggested remediation (if any)

Response timeline:

Phase	Timeline
Acknowledgment	48 hours
Initial Assessment	7 days
Remediation	Regular updates provided

Supported Versions

Version	Supported
Latest stable	Yes
Previous minor (n-1)	3 months after new release
Older versions	No

Embargo Policy

Security vulnerabilities are handled under embargo until:

A fix is available and tested
Affected users have been notified (if applicable)
A coordinated disclosure date is agreed upon

Reporters are credited in security advisories unless anonymity is requested. Embargo violations may result in exclusion from future security communications.

Scope

Covers KubeLB Manager, CCM, Connection Manager, official Helm charts, and container images.

Out of scope: Third-party dependency vulnerabilities (report upstream), user configuration issues.