Vulnerability Disclosure Policy

Tigera is a provider of network software for Kubernetes environments and as such, we take our responsibility to protect our customer’s information very seriously. We are committed to tracking, reporting and addressing security issues in a responsible, constructive and expedient manner. Our users, customers, and partners are an important part of this process.

This policy applies to the following projects and products:

  • Project Calico
  • Calico Enterprise
  • Calico Cloud

Any service not explicitly mentioned above is excluded from this policy.

If you believe that you have identified a vulnerability in any of our products listed above, please submit a vulnerability report at Reports may be submitted anonymously. All reports should include the following information:

  • Description
  • Steps to reproduce
  • Security risk assessment (low, medium, high)
  • Potential impact
  • Recommendations (if any)
  • Any other supporting technical information

Upon receiving a vulnerability report, Tigera will take the following steps:

  1. Investigate and confirm the vulnerability
  2. Respond to you, letting you know whether we are able to confirm the vulnerability and what our assessment of the severity is
  3. Address the vulnerability through a security patch or develop a workaround for mitigating the risk
  4. If appropriate, announce the vulnerability publicly through a technical advisory, announcements in online user groups and/or release notes of the patch release.

We appreciate the efforts of security researchers who discover and share security information with us. Thank you for your cooperation and collaboration with us.