Initial commit (history squashed)

docs/13_SECURITY_POLICY.md

@@ -0,0 +1,101 @@
+# Stella Ops Security Policy & Responsible Disclosure  
+*Version 3 · 2025‑07‑15*  
+
+---
+
+## 0 · Supported versions 🗓️
+
+| Release line | Status | Security fix window |
+|--------------|--------|---------------------|
+| **v0.1 α** (late 2025) | *Upcoming* | 90 days after GA of v0.2 |
+| **v0.2 β** (Q1 2026) | *Planned* | 6 months after GA of v0.3 |
+| **v0.3 β** (Q2 2026) | *Planned* | 6 months after GA of v0.4 |
+| **v0.4 RC** (Q3 2026) | *Planned* | Until v1.0 GA |
+| **v1.0 GA** (Q4 2026) | *Future LTS* | 24 months from release |
+
+Pre‑GA lines receive **critical** and **high**‑severity fixes only.
+
+---
+
+## 1 · How to report a vulnerability 🔒
+
+| Channel | PGP‑encrypted? | Target SLA |
+|---------|---------------|-----------|
+| `security@stella-ops.org` | **Yes** – PGP key: [`/keys/#pgp`](../keys/#pgp) | 72 h acknowledgement |
+| Matrix DM → `@sec‑bot:libera.chat` | Optional | 72 h acknowledgement |
+| Public issue with label `security` | No (for non‑confidential flaws) | 7 d acknowledgement |
+
+Please include:
+
+* Affected version(s) and environment  
+* Reproduction steps or PoC  
+* Impact assessment (data exposure, RCE, DoS, etc.)  
+* Preferred disclosure timeline / CVE request info
+
+---
+
+## 2 · Our disclosure process 📜
+
+1. **Triage** – confirm the issue, assess severity, assign CVSS v4 score.  
+2. **Patch development** – branch created in a private mirror; PoCs kept confidential.  
+3. **Pre‑notification** – downstream packagers & large adopters alerted **72 h** before release.  
+4. **Co‑ordinated release** – patched version + advisory (GHSA + CVE) + SBOM delta.  
+5. **Credits** – researchers listed in release notes (opt‑in).
+
+We aim for **30 days** from report to release for critical/high issues; medium/low may wait for the next scheduled release.
+
+---
+
+## 3 · Existing safeguards ✅
+
+| Layer | Control |
+|-------|---------|
+| **Release integrity** | `cosign` signatures + SPDX SBOM on every artefact |
+| **Build pipeline** | Reproducible, fully declarative CI; SBOM diff verified in CI |
+| **Runtime hardening** | Non‑root UID, distroless‑glibc base, SELinux/AppArmor profiles, cgroup CPU/RAM caps |
+| **Access logs** | Retained **7 days**, then `sha256(ip)` hash |
+| **Quota ledger** | Stores *token‑ID hash* only, no plain e‑mail/IP |
+| **Air‑gap support** | Signed **Offline Update Kit** (OUK) validated before import |
+| **Secure defaults** | TLS 1.3 (or stronger via plug‑in), HTTP Strict‑Transport‑Security, Content‑Security‑Policy |
+| **SBOM re‑scan** | Nightly cron re‑checks previously “clean” images against fresh CVE feeds |
+
+---
+
+## 4 · Cryptographic keys 🔑
+
+| Purpose | Fingerprint | Where to fetch |
+|---------|-------------|----------------|
+| **PGP (sec‑team)** | `3A5C ​71F3 ​... ​7D9B` | [`/keys/#pgp`](../keys/#pgp) |
+| **Cosign release key** | `AB12 ... EF90` | [`/keys/#cosign`](../keys/#cosign) |
+
+Verify all downloads (TLS 1.3 by default; 1.2 allowed only via a custom TLS provider such as GOST):
+
+
+```bash
+cosign verify \
+  --key https://stella-ops.org/keys/cosign.pub \
+  registry.stella-ops.org/stella-ops/stella-ops:<VERSION>
+````
+
+---
+
+## 5 · Private‑feed mirrors 🌐
+
+The **Feedser (vulnerability ingest/merge/export service)** provides signed JSON and Trivy DB snapshots that merge:
+
+* OSV + GHSA
+* (optional) NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU  regionals
+
+The snapshot ships in every Offline Update Kit and is validated with an in‑toto SLSA attestation at import time.
+
+---
+
+## 6 · Hall of Thanks 🏆
+
+We are grateful to the researchers who help keep Stella Ops safe:
+
+| Release | Researcher         | Handle / Org |
+| ------- | ------------------ | ------------ |
+| *empty* | *(your name here)* |              |
+
+---