Add SECURITY-INSIGHTS.yml

This specification provides a mechanism for projects to report
information about their security in a machine-processable way.
It is formatted as a YAML file to make it easy to read and edit
by humans.

Signed-off-by: Sandipan Panda <[email protected]>

SECURITY-INSIGHTS.yml

@@ -0,0 +1,72 @@
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-12-16T00:00:00.000Z'
+  last-updated: '2023-12-16'
+  last-reviewed: '2023-12-16'
+  commit-hash: 8220a6eb95f0a4d75f7f2d7b14cef975f050512d
+  project-url: https://github.com/kubernetes/minikube
+  project-release: '1.32.0'
+  changelog: https://github.com/kubernetes/minikube/blob/master/CHANGELOG.md
+  license: https://github.com/kubernetes/minikube/blob/master/LICENSE
+project-lifecycle:
+  status: active
+  roadmap: https://minikube.sigs.k8s.io/docs/contrib/roadmap/
+  bug-fixes-only: false
+  core-maintainers:
+    - https://github.com/kubernetes/minikube/blob/master/OWNERS
+  release-cycle: https://minikube.sigs.k8s.io/docs/contrib/release_schedule/
+  release-process: https://minikube.sigs.k8s.io/docs/contrib/releasing/
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  automated-tools-list:
+  - automated-tool:  minikube-bot
+    action: allowed
+  contributing-policy: https://minikube.sigs.k8s.io/docs/contrib/guide/
+  code-of-conduct: https://github.com/kubernetes/minikube/blob/master/code-of-conduct.md
+documentation:
+  - https://minikube.sigs.k8s.io/docs/
+distribution-points:
+  - https://github.com/kubernetes/minikube/releases
+security-artifacts:
+  threat-model:
+    threat-model-created: false
+  self-assessment:
+    self-assessment-created: false
+security-testing:
+- tool-type: sca
+  tool-name: minikube-bot
+  tool-version: latest
+  tool-url: https://github.com/minikube-bot
+  tool-rulesets:
+  - built-in
+  integration:
+    ad-hoc: false
+    ci: false
+    before-release: false
+security-contacts:
+  - type: email
+    value: [email protected]
+    primary: true
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: [email protected]
+  security-policy: https://github.com/kubernetes/minikube/blob/master/SECURITY.md
+  bug-bounty-available: true
+  bug-bounty-url: https://hackerone.com/kubernetes
+  in-scope:
+  - Cluster Attacks
+  - Supply Chain
+  - Components
+  out-scope:
+  - Vulnerabilities in etcd
+  - Vulnerabilities in CoreDNS
+  - Vulnerabilities specific to a hosted Kubernetes setup
+  - Vulnerabilities in hosted vendor tools, including Google docs, Slack, Discourse, Zoom
+  - Linux Vulnerabilities
+  comment: |
+    See https://hackerone.com/kubernetes for assets in scope but not eligible for bounty
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+    - https://github.com/kubernetes/minikube/blob/master/go.mod

site/content/en/docs/contrib/releasing/binaries.md

@@ -107,6 +107,9 @@ Verify release checksums by running `make check-release`
 
 If there are major changes, please send a PR to update <https://kubernetes.io/docs/setup/learning-environment/minikube/>
 
+## Update SECURITY-INSIGHTS.yml
+Make appropriate changes to [SECURITY-INSIGHTS.yml](https://github.com/kubernetes/minikube/SECURITY-INSIGHTS.yml). Check [OPENSSF Security Insights Specification](https://github.com/ossf/security-insights-spec/blob/main/specification.md) for reference.
+
 ## Announce
 
 Please mention the new release https://github.com/kubernetes/minikube/blob/master/README.md