2.9 KiB
2.9 KiB
Security Policy
Supported Versions
We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT open a public GitHub issue
- Email security details to: security@the-order.org (or your security contact)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Response Timeline
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (see below)
Severity Levels
- Critical: Remote code execution, authentication bypass, data breach
- Fix timeline: 24-48 hours
- High: Privilege escalation, sensitive data exposure
- Fix timeline: 7 days
- Medium: Information disclosure, denial of service
- Fix timeline: 30 days
- Low: Best practices, defense in depth
- Fix timeline: Next release cycle
Security Practices
Secrets Management
- All secrets must be encrypted using SOPS
- Never commit plaintext secrets
- Use environment variables for configuration
- Rotate secrets regularly
- Use short-lived tokens via OIDC
Code Security
- All code must pass security linting (ESLint security plugins)
- Dependencies are scanned for vulnerabilities (Grype)
- Container images are signed (Cosign)
- SBOM generation for all artifacts (Syft)
Infrastructure Security
- Immutable infrastructure via Terraform
- Secrets stored in KMS/HSM
- Network policies enforced via Kubernetes
- API gateway with WAF rules
- Regular security audits and penetration testing
Access Control
- Least privilege principle
- Quarterly access reviews
- MFA required for all production access
- Audit logs for all sensitive operations
Compliance
- eIDAS compliance for identity services
- Data retention policies per jurisdiction
- WORM storage for legal documents
- Audit trails for all financial transactions
Security Updates
Security updates are released as:
- Hotfixes: For critical vulnerabilities
- Patch releases: For high/medium severity issues
- Regular releases: For low severity and general improvements
Disclosure Policy
- Vulnerabilities are disclosed after a fix is available
- Coordinated disclosure with responsible parties
- CVE assignment for eligible vulnerabilities
- Security advisories published in
docs/governance/security-advisories/
Contact
- Security Email: security@the-order.org
- PGP Key: [Link to public key]
- Security Team: @the-order/security-team