The MOCO maintainers take the security of MOCO seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Security fixes are provided only for the latest released version of MOCO. We strongly recommend always running the most recent release.
For the list of releases, see the Releases page.
Note that MOCO depends on specific versions of MySQL and Kubernetes. Only the combinations listed in the README are tested and supported.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report them privately through GitHub's private vulnerability reporting feature, which is the only channel through which we accept vulnerability reports:
- Go to the Security tab of this repository.
- Click Report a vulnerability.
- Fill in the advisory form with as much detail as possible.
Please do not publicly disclose the vulnerability, in whole or in part, without the maintainers' prior consent. We ask that you give us a reasonable amount of time to investigate and release a fix, and coordinate the timing of any public disclosure with us.
To help us triage and fix the issue quickly, please include as much of the following as you can:
- A description of the vulnerability and its potential impact.
- The affected version(s) of MOCO (and, if relevant, MySQL / Kubernetes versions).
- Steps to reproduce, or a proof-of-concept.
- Any known workarounds or mitigations.
We do not accept reports that are based solely on the output of automated security scanners (for example, vulnerabilities reported against MOCO's dependencies). Such tools frequently produce false positives, and a dependency advisory does not necessarily mean MOCO is affected. Before reporting, please confirm that the issue is actually exploitable in the context of MOCO and include an explanation or proof-of-concept of how it can be exploited.