If you discover a security vulnerability in Harbor, please report it privately. Do not open a public GitHub issue for security-sensitive reports.

• Email: security@krakennetworks.com
• Subject line: [SECURITY] <short description>

Please include:

• A description of the issue and its potential impact.
• Steps to reproduce, including any proof-of-concept code, logs, or screenshots.
• The affected version(s), commit hash, or deployment.
• Your name and contact info if you would like to be credited.

We are committed to handling reports promptly and transparently:

• Acknowledgement: within 5 business days of receipt.
• Triage and initial assessment: within 10 business days.
• Fix or mitigation: within 90 days of the original report (our coordinated-disclosure SLA).

If a fix cannot be delivered within 90 days, we will communicate the reason and a revised timeline directly to the reporter before any public disclosure.

This policy applies to the Harbor codebase in this repository and any official artifacts produced from it. Vulnerabilities in third-party dependencies should be reported to their respective maintainers; we are happy to coordinate.

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy.
• Avoid privacy violations, service degradation, and destruction of data.
• Give us reasonable time to remediate before public disclosure.

Thank you for helping keep Harbor and its users safe.