We understand that users place trust in the software and services that Kinvolk makes and distributes. This is critical infrastructure for communities and companies. This is a responsibility that we take seriously and is our top priority.

Disclosure

For issues under an embargo, Kinvolk does not issue a disclosure until an investigation is complete and the agreed date has been reached.

There is a private [email protected] list to receive actionable advisory information related to Kinvolk software or services. Please contact [email protected] for information on subscribing there.

Reporting

Reporting found issues or concerns in kinvolk software or services, please email [email protected] .

When reporting an issue, please include:

  • versions of tools and components involved
  • reproducer or proof-of-concept
  • relevant output

Flatcar Container Linux

Signing key

Flatcar Container Linux images are available for download, signed by the GPG key described in flatcar-linux.org/security .

Update Key

Flatcar Container Linux public update key is available in its repository .

On a Flatcar server, this key is available on the read only dm-verity mounted /usr partition at:

/usr/share/update_engine/update-payload-key.pub.pem

Lokomotive Kubernetes

Signing Key

Releases of Lokomotive are signed by keys prescribed in its keys document .