# Stella Ops Security Policy & Responsible Disclosure *Version 3 · 2025‑07‑15* --- ## 0 · Supported versions 🗓️ | Release line | Status | Security fix window | |--------------|--------|---------------------| | **v0.1 α** (late 2025) | *Upcoming* | 90 days after GA of v0.2 | | **v0.2 β** (Q1 2026) | *Planned* | 6 months after GA of v0.3 | | **v0.3 β** (Q2 2026) | *Planned* | 6 months after GA of v0.4 | | **v0.4 RC** (Q3 2026) | *Planned* | Until v1.0 GA | | **v1.0 GA** (Q4 2026) | *Future LTS* | 24 months from release | Pre‑GA lines receive **critical** and **high**‑severity fixes only. --- ## 1 · How to report a vulnerability 🔒 | Channel | PGP‑encrypted? | Target SLA | |---------|---------------|-----------| | `security@stella-ops.org` | **Yes** – PGP key: [`/keys/#pgp`](../keys/#pgp) | 72 h acknowledgement | | Matrix DM → `@sec‑bot:libera.chat` | Optional | 72 h acknowledgement | | Public issue with label `security` | No (for non‑confidential flaws) | 7 d acknowledgement | Please include: * Affected version(s) and environment * Reproduction steps or PoC * Impact assessment (data exposure, RCE, DoS, etc.) * Preferred disclosure timeline / CVE request info --- ## 2 · Our disclosure process 📜 1. **Triage** – confirm the issue, assess severity, assign CVSS v4 score. 2. **Patch development** – branch created in a private mirror; PoCs kept confidential. 3. **Pre‑notification** – downstream packagers & large adopters alerted **72 h** before release. 4. **Co‑ordinated release** – patched version + advisory (GHSA + CVE) + SBOM delta. 5. **Credits** – researchers listed in release notes (opt‑in). We aim for **30 days** from report to release for critical/high issues; medium/low may wait for the next scheduled release. --- ## 3 · Existing safeguards ✅ | Layer | Control | |-------|---------| | **Release integrity** | `cosign` signatures + SPDX SBOM on every artefact | | **Build pipeline** | Reproducible, fully declarative CI; SBOM diff verified in CI | | **Runtime hardening** | Non‑root UID, distroless‑glibc base, SELinux/AppArmor profiles, cgroup CPU/RAM caps | | **Access logs** | Retained **7 days**, then `sha256(ip)` hash | | **Quota ledger** | Stores *token‑ID hash* only, no plain e‑mail/IP | | **Air‑gap support** | Signed **Offline Update Kit** (OUK) validated before import | | **Secure defaults** | TLS 1.3 (or stronger via plug‑in), HTTP Strict‑Transport‑Security, Content‑Security‑Policy | | **SBOM re‑scan** | Nightly cron re‑checks previously “clean” images against fresh CVE feeds | --- ## 4 · Cryptographic keys 🔑 | Purpose | Fingerprint | Where to fetch | |---------|-------------|----------------| | **PGP (sec‑team)** | `3A5C ​71F3 ​... ​7D9B` | [`/keys/#pgp`](../keys/#pgp) | | **Cosign release key** | `AB12 ... EF90` | [`/keys/#cosign`](../keys/#cosign) | Verify all downloads (TLS 1.3 by default; 1.2 allowed only via a custom TLS provider such as GOST): ```bash cosign verify \ --key https://stella-ops.org/keys/cosign.pub \ registry.stella-ops.org/stella-ops/stella-ops: ```` --- ## 5 · Private‑feed mirrors 🌐 The **FeedMerge** service provides a signed SQLite snapshot merging: * OSV + GHSA * (optional) NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU regionals The snapshot ships in every Offline Update Kit and is validated with an in‑toto SLSA attestation at import time. --- ## 6 · Hall of Thanks 🏆 We are grateful to the researchers who help keep Stella Ops safe: | Release | Researcher | Handle / Org | | ------- | ------------------ | ------------ | | *empty* | *(your name here)* | | ---