The containerd project has a significant focus on the security of the container runtime layer on which so many other software systems depend. We have a clear and well-documented security process and use GitHub security features and their CVE numbering authority to properly disclose any identified and verified vulnerabilities.
Reporting security issues
Please follow the project’s reporting process outlined in SECURITY.md within the
containerd/project GitHub repository.
Security audits are performed from time to time for the project, enabled by investment from the CNCF or other interested parties. When public reports are published as a result of these audits we will publish them in the following table.
|Fuzzing audit - ADA-fuzzing-audit-21-22.pdf||Fuzzing audit funded by the CNCF, audit by Ada Logics||March 2023|
|CNCF Graduated Project audit - SECURITY_AUDIT.pdf||Security audit funded by the CNCF, audit by Cure53||Nov 2018|