feat: add CVE policy for mesh

Signed-off-by: John Harris <[email protected]>
Kong · Oct 29, 2024 · 52aba78 · 52aba78
1 parent 8011300
commit 52aba78
Show file tree

Hide file tree

Showing 15 changed files with 56 additions and 1 deletion.
diff --git a/app/_src/mesh/features/access-audit.md b/app/_src/mesh/features/access-audit.md
@@ -1,5 +1,6 @@
 ---
 title: Access Audit
+badge: enterprise
 ---
 
 Access Audit lets you track all actions that are executed in {{site.mesh_product_name}}.

diff --git a/app/_src/mesh/features/acmpca.md b/app/_src/mesh/features/acmpca.md
@@ -1,5 +1,6 @@
 ---
 title: ACM Private CA Policy
+badge: enterprise
 ---
 
 ## Amazon Certificate Manager Private CA Backend

diff --git a/app/_src/mesh/features/ca-rotation.md b/app/_src/mesh/features/ca-rotation.md
@@ -1,5 +1,6 @@
 ---
 title: Certificate Authority rotation
+badge: enterprise
 ---
 
 ## Overview

diff --git a/app/_src/mesh/features/cert-manager.md b/app/_src/mesh/features/cert-manager.md
@@ -1,5 +1,6 @@
 ---
 title: Kubernetes cert-manager CA Policy
+badge: enterprise
 ---
 
 ## cert-manager CA Backend

diff --git a/app/_src/mesh/features/fips-support.md b/app/_src/mesh/features/fips-support.md
@@ -1,5 +1,6 @@
 ---
 title: FIPS Support
+badge: enterprise
 ---
 
 With version 1.2.0, {{site.mesh_product_name}} provides built-in support for the Federal Information Processing Standard (FIPS-2). Compliance with this standard is typically required for working with U.S. federal government agencies and their contractors.

diff --git a/app/_src/mesh/features/index.md b/app/_src/mesh/features/index.md
@@ -1,6 +1,7 @@
 ---
 title: Enterprise Features
 content_type: explanation
+badge: enterprise
 ---
 
 {{site.mesh_product_name}} builds on top of Kuma with the following Enterprise features:

diff --git a/app/_src/mesh/features/kds-auth.md b/app/_src/mesh/features/kds-auth.md
@@ -1,5 +1,6 @@
 ---
 title: Multi-zone authentication
+badge: enterprise
 ---
 
 To add to the security of your deployments, {{site.mesh_product_name}} provides authentication of zone control planes to the global control plane.

diff --git a/app/_src/mesh/features/meshopa.md b/app/_src/mesh/features/meshopa.md
@@ -1,6 +1,7 @@
 ---
 title: MeshOPA - OPA Policy Integration
 content_type: reference
+badge: enterprise
 ---
 
 

diff --git a/app/_src/mesh/features/opa.md b/app/_src/mesh/features/opa.md
@@ -1,5 +1,6 @@
 ---
 title: OPA Policy Integration
+badge: enterprise
 ---
 
 ## OPA policy plugin

diff --git a/app/_src/mesh/features/openshift-quickstart.md b/app/_src/mesh/features/openshift-quickstart.md
@@ -2,6 +2,7 @@
 title: Get started with Red Hat OpenShift and Kong Mesh
 content_type: tutorial
 description: This guide explains how to get started on Kong Mesh with Red Hat OpenShift.
+badge: enterprise
 ---
 
 In this guide, you will learn how to get {{site.mesh_product_name}} up and running quickly in [standalone mode](/mesh/{{page.release}}/production/deployment/stand-alone/) on [Red Hat OpenShift](https://www.redhat.com/technologies/cloud-computing/openshift). This tutorial assumes some base-level OpenShift knowledge.

diff --git a/app/_src/mesh/features/rbac.md b/app/_src/mesh/features/rbac.md
@@ -1,5 +1,6 @@
 ---
 title: Role-Based Access Control
+badge: enterprise
 ---
 
 Role-Based Access Control (RBAC) lets you restrict access to resources and actions to specified users or groups, based on user roles.

diff --git a/app/_src/mesh/features/ubi-images.md b/app/_src/mesh/features/ubi-images.md
@@ -1,5 +1,6 @@
 ---
 title: Red Hat Universal Base Images
+badge: enterprise
 ---
 
 In addition to the standard {{site.mesh_product_name}} images built on Alpine Linux, {{site.mesh_product_name}} also ships with images based on the [Red Hat Universal Base Image (UBI)](https://developers.redhat.com/products/rhel/ubi).

diff --git a/app/_src/mesh/features/vault.md b/app/_src/mesh/features/vault.md
@@ -1,5 +1,6 @@
 ---
 title: Vault Policy
+badge: enterprise
 ---
 
 ## Vault CA Backend

diff --git a/app/_src/mesh/features/windows.md b/app/_src/mesh/features/windows.md
@@ -2,7 +2,7 @@
 title: Kong Mesh with Windows
 ---
 
-{% if_version gte:2.4.x %}
+{% if_version gte:2.4.x lt:2.11.x %}
 
 To install and run {{site.mesh_product_name}} on Windows:
 

diff --git a/app/_src/mesh/vulnerability-patching-process.md b/app/_src/mesh/vulnerability-patching-process.md
@@ -0,0 +1,42 @@
+---
+title: Vulnerability Patching Process
+badge: enterprise
+---
+
+{{site.mesh_product_name}} is primarily delivered as [binary files](/mesh/{{page.release}}/install) installable artifacts. Kong also offers Docker images with the artifacts preinstalled as a convenience to customers. At the time of release, all artifacts and images are patched, scanned and are free of publicly-known vulnerabilities. 
+
+## Types of Vulnerabilities
+
+Generally, there may be three types of vulnerabilities:
+* In {{site.mesh_product_name}} code
+* In third-party code that {{site.mesh_product_name}} directly links (such as Envoy, CoreDNS, OPA, etc)
+* In third-party code that is part of the convenience Docker image (such as Python, Perl, cURL, etc). This code is not part of {{site.mesh_product_name}}.
+
+Vulnerabilities reported in {{site.mesh_product_name}} code will be assessed by Kong and if the vulnerability is validated, a CVSS3.0 score will be assigned. Based on the CVSS score, Kong will aim to produce patches for all applicable {{site.mesh_product_name}} versions currently under support within the SLAs below. The SLA clock starts from the day the CVSS score is assigned.
+
+For a CVSS 3.0 Critical vulnerability (CVSS > 9.0), Kong will provide a workaround/recommendation as soon as possible.  This will take the shape of a configuration change recommendation, if available. If there is no workaround/recommendation readily available, Kong will use continuous efforts to develop one.  For a CVSS <9.0, Kong will use commercially-reasonable efforts to provide a workaround or patch within the applicable SLA period.
+
+|  CVSS 3.0 Criticality | CVSS 3.0 Score |  SLA |
+|---|---|---|
+| Critical  | 9.0 - 10.0  |  15 days |
+| High  |  7.0 - 8.9 |  30 days |
+|  Medium |  4.0 - 6.9 |  90 days |
+|  Low |  0.1 - 3.9 | 180 days  |
+
+
+Vulnerabilities reported in third party-code that {{site.mesh_product_name}} links directly must have confirmed CVE numbers assigned. Kong will aim to produce patches for all applicable {{site.mesh_product_name}} versions currently under support within the SLA reproduced in the table below. The SLA clock for these vulnerabilities starts from the day the upstream (third party) announces availability of patches.  
+
+|  CVSS 3.0 Criticality | CVSS 3.0 Score |  SLA |
+|---|---|---|
+| Critical  | 9.0 - 10.0  |  15 days |
+| High  |  7.0 - 8.9 |  30 days |
+|  Medium |  4.0 - 6.9 |  90 days |
+|  Low |  0.1 - 3.9 | 180 days  |
+
+
+Vulnerabilities reported in third-party code that is part of the convenience Docker images are only addressed by Kong as part of the regularly scheduled release process. These vulnerabilities are not exploitable during normal {{site.mesh_product_name}} operations. Kong always applies all available patches when releasing a Docker image, but by definition images accrue vulnerabilities over time. All customers using containers are strongly urged to generate their own images using their secure corporate approved base images. Customers wishing to use the convenience images from Kong should always apply the latest patches for their Gateway version to receive the latest patched container images. Kong does not undertake to address third-party vulnerabilities in convenience images outside of the scheduled release mechanism.
+
+## Reporting Vulnerabilities in Kong code
+
+If you are reporting a vulnerability in Kong code, we request you to follow the instructions in the [Kong Vulnerability Disclosure Program](https://konghq.com/compliance/bug-bounty). 
+