stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
304118b66510e7088c7572a9ec1155320cc8e81d
git.stella-ops.org/docs/13_SECURITY_POLICY.md
master 304118b665
Some checks failed
Build Test Deploy / build-test (push) Has been cancelled
Details
Build Test Deploy / docs (push) Has been cancelled
Details
Build Test Deploy / deploy (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
commit and up
2025-10-07 08:33:54 +03:00

102 lines
3.9 KiB
Markdown
Executable File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# StellaOps SecurityPolicy & Responsible Disclosure
*Version 3 · 20250715*
---
## 0·Supported versions🗓
| Release line | Status | Securityfix window |
|--------------|--------|---------------------|
| **v0.1 α** (late 2025) | *Upcoming* | 90days after GA of v0.2 |
| **v0.2 β** (Q12026) | *Planned* | 6months after GA of v0.3 |
| **v0.3 β** (Q22026) | *Planned* | 6months after GA of v0.4 |
| **v0.4 RC** (Q32026) | *Planned* | Until v1.0 GA |
| **v1.0 GA** (Q42026) | *Future LTS* | 24months from release |
PreGA lines receive **critical** and **high**severity fixes only.
---
## 1·How to report a vulnerability 🔒
| Channel | PGPencrypted? | Target SLA |
|---------|---------------|-----------|
| `security@stella-ops.org` | **Yes** PGP key: [`/keys/#pgp`](../keys/#pgp) | 72h acknowledgement |
| Matrix DM → `@secbot:libera.chat` | Optional | 72h acknowledgement |
| Public issue with label `security` | No (for nonconfidential flaws) | 7d acknowledgement |
Please include:
* Affected version(s) and environment
* Reproduction steps or PoC
* Impact assessment (data exposure, RCE, DoS, etc.)
* Preferred disclosure timeline / CVE request info
---
## 2·Our disclosure process 📜
1. **Triage** confirm the issue, assess severity, assign CVSS v4 score.
2. **Patch development** branch created in a private mirror; PoCs kept confidential.
3. **Prenotification** downstream packagers & large adopters alerted **72h** before release.
4. **Coordinated release** patched version + advisory (GHSA + CVE) + SBOM delta.
5. **Credits** researchers listed in release notes (optin).
We aim for **30days** from report to release for critical/high issues; medium/low may wait for the next scheduled release.
---
## 3·Existing safeguards 
| Layer | Control |
|-------|---------|
| **Release integrity** | `cosign` signatures + SPDX SBOM on every artefact |
| **Build pipeline** | Reproducible, fully declarative CI; SBOM diff verified in CI |
| **Runtime hardening** | Nonroot UID, distrolessglibc base, SELinux/AppArmor profiles, cgroup CPU/RAM caps |
| **Access logs** | Retained **7days**, then `sha256(ip)` hash |
| **Quota ledger** | Stores *tokenID hash* only, no plain email/IP |
| **Airgap support** | Signed **Offline Update Kit** (OUK) validated before import |
| **Secure defaults** | TLS1.3 (or stronger via plugin), HTTPStrictTransportSecurity, ContentSecurityPolicy |
| **SBOM rescan** | Nightly cron rechecks previously “clean” images against fresh CVE feeds |
---
## 4·Cryptographic keys 🔑
| Purpose | Fingerprint | Where to fetch |
|---------|-------------|----------------|
| **PGP (secteam)** | `3A5C 71F3 ... 7D9B` | [`/keys/#pgp`](../keys/#pgp) |
| **Cosign release key** | `AB12 ... EF90` | [`/keys/#cosign`](../keys/#cosign) |
Verify all downloads (TLS1.3 by default; 1.2 allowed only via a custom TLS provider such as GOST):
```bash
cosign verify \
--key https://stella-ops.org/keys/cosign.pub \
registry.stella-ops.org/stella-ops/stella-ops:<VERSION>
````
---
## 5·Privatefeed mirrors 🌐
The **Feedser (vulnerability ingest/merge/export service)** provides signed JSON and Trivy DB snapshots that merge:
* OSV + GHSA
* (optional) NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU regionals
The snapshot ships in every Offline Update Kit and is validated with an intoto SLSA attestation at import time.
---
## 6·Hall of Thanks 🏆
We are grateful to the researchers who help keep StellaOps safe:
| Release | Researcher | Handle / Org |
| ------- | ------------------ | ------------ |
| *empty* | *(your name here)* | |
---
Reference in New Issue View Git Blame Copy Permalink