Announcing the Flannel Embargoed Vulnerability Disclosure Process

[pgonin]

As part of our ongoing commitment to project security and maturity, the Flannel maintainers are introducing a formal Embargoed Vulnerability Announcement process. This allows downstream distributors and major consumers to receive advance notice of security vulnerabilities, ensuring they can prepare patches or advisories before a public disclosure occurs.

Flannel is a critical component of the cloud-native ecosystem. To protect the wider community, we are aligning our security practices with other CNCF projects (like Kubernetes) by providing a private channel for those who package or redistribute Flannel to stay ahead of potential threats.

New Mailing List: flannel-distributors-announce

We have established a restricted mailing list for pre-disclosure notifications:
List Address: flannel-distributors-announce@googlegroups.com
Purpose: To receive advance technical details of embargoed security vulnerabilities.
Intended Audience: Distributors, cloud providers, and downstream consumers who maintain their own Flannel implementations and need lead time for patching.

How to Join

Access to this list is restricted and manually moderated. To request access, please follow these steps:
Send a request to join via the Google Groups interface (or email the maintainers directly if you cannot access the UI).

In your request, please provide:
The organization you represent.
A brief explanation of why your organization requires early access (e.g., "We maintain a managed Kubernetes service using Flannel").
A commitment to honor the project's embargo dates.