The Agones Headlamp plugin is a UI extension for Headlamp that visualises Agones custom resources inside the Headlamp Kubernetes dashboard. The plugin runs entirely in the browser and communicates with the Kubernetes API through the Headlamp backend proxy.

The security of a deployment depends on correct cluster configuration (for example RBAC, network policies, and Headlamp deployment mode). Operational guidance appears in the Agones documentation, including best practices and topics such as service accounts.

Security reports are triaged by the Agones maintainers. Coordinated fixes and public advisories are published through GitHub Security Advisories when appropriate.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

If you believe you have found a security vulnerability in the Agones Headlamp plugin, please report it privately through the following steps:

1. Open a private vulnerability report for this repository (also reachable from the Security tab).
2. Include a clear description, affected version(s) if known, steps to reproduce, and any suspected impact or mitigations.
3. If available, please also include a Proof-of-concept, logs, or other supporting information.

Maintainers will acknowledge receipt as soon as practical, typically within five business days, and will work with you on validation, fixes, and disclosure timing.

We follow coordinated disclosure: details stay private until a fix is available or the risk and response have been agreed with the reporter. The exact timeline depends on severity, complexity, and release cadence; we aim to ship security fixes in patch or regular releases and to publish an advisory when users should upgrade.

Information shared with reporters, distributors, or other participants before public disclosure is confidential. It must not be shared more widely than needed to fix or validate the issue, and must not be made public before the agreed disclosure date.

If you believe embargo terms were broken, contact the maintainers through the same private reporting channel used for the issue.

Security fixes are published in releases as needed. We recommend running the latest release and keeping dependencies updated by running npm audit regularly.