KrakenD takes cybersecurity seriously.
We craft our software without taking shortcuts, making it solid and reliable and free of practices that might introduce future security problems.
This document describes our security policy and how you can help us make a better software if you find problems.
KrakenD to become a CVE Numbering Authority (CNA)
KrakenD is in the process of becoming a CVE Numbering Authority (CNA) worldwide for software distribution and open-source projects.
We are partnering with the CVE Program to assign CVE IDs and publish CVE Records publicly for vulnerabilities within any KrakenD software or the Lura Project (© the Linux Foundation), so we:
- Demonstrate mature vulnerability management practices and a commitment to cybersecurity to customers and open-source users.
- Communicate value-added vulnerability information to our user base.
- Assign public CVE IDs.
- Streamline vulnerability disclosure processes.
How do we apply fixes
When you report a new vulnerability, KrakenD investigates the issue and tries to reproduce it. Sometimes there are vulnerabilities in external open-source libraries we use. These vulnerabilties do not necessarily transfer to KrakenD as most of the times we include a limited number of their functionality, and this has to be analyzed case by case. We don’t have a policy of updating to latest versions of these libraries if there is no reason for it.
Once the vulnerability is confirmed, KrakenD creates a new CVE ID that is not disclosed publicly until there is a fix for it.
We work on the fix that is applied to the latest version, which makes a new release of the software. We don’t patch prior versions, although some KrakenD Enterprise customers could have justified exceptions to this rule.
Once the sofware is corrected, we publish the new release and announce it through several channels: Github release, Newlsetter (see at the bottom of this page), and Twitter.
How to report a vulnerability
If you are an existing KrakenD customer or partner, please submit a support ticket or contact KrakenD through any Enterprise channels explaining your findings.
If you are not a customer, please email [email protected] with your discovery.
As soon as we read and understand your finding we will provide an answer with next steps and possible timelines.
Credits and rewards
We want to thank you in advance for the time you have spent to follow this issue, as it helps all users. We develop our software in the open with the help of a global community of developers and contributors with whom we share a common understanding and trust in the free exchange of knowledge.
KrakenD’s policy is to credit and reward all researchers provided they follow responsible disclosure practices:
- They do not publish the vulnerability prior to KrakenD releasing a fix for it.
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code.
- KrakenD does not credit employees of KrakenD for vulnerabilities they have found.
Current rewards could include (but are not limited to):
- Addition of the researcher (full name or alias) to the CVE ID.
- Public acknowledgement in release notes when a fix for reported security bug is issued
- Addition to the KrakenD Contributors Github organization
- Opportunity to meet with our technical staff
- KrakenD swag
KrakenD DOES NOT provide cash awards for discovered vulnerabilities at this time.