How (quickly) does Rancher respond to / resolve industry-reported vulnerabilities?

This document (000020476) is provided subject to the disclaimer at the end of this document.

Environment

The following information applies to the following SUSE products

Rancher
RKE
RKE2
K3s
Harvester
Longhorn
NeuVector

Resolution

For industry-reported vulnerabilities in Rancher, RKE, RKE2, K3s, Harvester, Longhorn, NeuVector and upstream vulnerabilities in Kubernetes, Docker, and containerd, SUSE Rancher strives to adhere to industry standards and best practices. Due to the nature of upstream dependencies inherent to open-source software, the final delivery of patch releases may vary in timeline. We will prioritize our efforts and coordinate with upstream organizations and third-party entities according to the following guidelines:

Critical: Immediate engagement to remediate the issue in code, and/or coordinate with upstream and/or third-party entities to deliver the remediation in the shortest timeline available. This includes creating an emergency release patch version when an existing one is not readily available.
High: Prioritized engagement to align the delivery of the remediation with our next available release cycle. Emergency releases should only be needed unless the timing is such that the next available security release cycle is not in a reasonable timeline.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.