Agones runs on Kubernetes and extends the API with custom resources and controllers. The security of a deployment depends on correct cluster configuration (for example RBAC, network policies, TLS for the allocator service, and node isolation). Operational guidance appears in the Agones documentation, including best practices and topics such as service accounts and the allocator service.
Security reports are triaged by the Agones maintainers. Coordinated fixes and public advisories are published through GitHub Security Advisories when appropriate.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
If you believe you have found a security vulnerability in Agones, please report it privately through the following steps:
- Open a private vulnerability report for this repository (also reachable from the Security tab).
- Include a clear description, affected version(s) if known, steps to reproduce, and any suspected impact or mitigations.
- If available, please also include a Proof-of-concept, logs, or other supporting information.
Maintainers will acknowledge receipt as soon as practical, typically within five business days, and will work with you on validation, fixes, and disclosure timing.
We follow coordinated disclosure: details stay private until a fix is available or the risk and response have been agreed with the reporter. The exact timeline depends on severity, complexity, and release cadence; we aim to ship security fixes in patch or regular releases and to publish an advisory when users should upgrade.
Information shared with reporters, distributors, or other participants before public disclosure is confidential. It must not be shared more widely than needed to fix or validate the issue, and must not be made public before the agreed disclosure date.
If you believe embargo terms were broken, contact the maintainers through the same private reporting channel used for the issue.
Security fixes are published in releases as needed. We recommend running a currently supported Kubernetes version and upgrading to the latest Agones release you can adopt, especially when release notes or advisories reference security-related changes.