We actively maintain and provide security updates for the following versions of Gopteran components:
| Component | Version | Supported |
|---|---|---|
| Aerie | 1.x.x | β Yes |
| Avis | 1.x.x | β Yes |
| Aviary | 1.x.x | β Yes |
| Carina | 1.x.x | β Yes |
| Nest | 1.x.x | β Yes |
| Remora | 1.x.x | β Yes |
| Ventus | 1.x.x | β Yes |
The Gopteran team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Instead, please follow our responsible disclosure process:
Send vulnerability reports to: security@gopteran.dev
Please include the following information in your report:
- Component affected (Aerie, Avis, etc.)
- Version number where the vulnerability exists
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and attack scenarios
- Suggested fix (if you have one)
- Your contact information for follow-up questions
For highly sensitive reports, you can use our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Key would be here in a real implementation]
-----END PGP PUBLIC KEY BLOCK-----
Key ID: 0x1234567890ABCDEF
Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678
We are committed to responding to security reports promptly:
| Timeline | Action |
|---|---|
| Within 48 hours | Initial acknowledgment of your report |
| Within 7 days | Preliminary assessment and severity classification |
| Within 30 days | Detailed response with our planned course of action |
| Within 90 days | Resolution or detailed status update |
We classify vulnerabilities using the following criteria:
- Remote code execution
- Authentication bypass
- Privilege escalation to admin/root
- Data exfiltration of sensitive information
- Significant data exposure
- Denial of service attacks
- Cross-site scripting (XSS) with significant impact
- SQL injection
- Information disclosure
- Cross-site request forgery (CSRF)
- Local privilege escalation
- Moderate denial of service
- Minor information disclosure
- Low-impact denial of service
- Issues requiring significant user interaction
- mTLS Authentication: Mutual TLS for all client-server communications
- PKI Management: Comprehensive certificate lifecycle management
- RBAC: Role-based access control with fine-grained permissions
- Input Validation: Comprehensive request validation and sanitization
- Security Headers: CORS, CSP, HSTS, and other security headers
- Audit Logging: Comprehensive security event logging
- Token Security: Secure token storage and rotation
- Rate Limiting: Protection against abuse and spam
- Permission Validation: Strict Discord permission checking
- Input Sanitization: All user inputs are validated and sanitized
- Container Security: Minimal attack surface with distroless images
- Secrets Management: Secure handling of sensitive configuration
- Network Security: Encrypted communications between components
- Regular Updates: Automated dependency updates and security patches
- Secure Coding: Follow OWASP guidelines and secure coding practices
- Dependency Management: Regular updates and vulnerability scanning
- Code Review: All code changes require security-focused review
- Testing: Comprehensive security testing including penetration testing
- Keep Updated: Always use the latest supported versions
- Strong Authentication: Use strong, unique passwords and enable 2FA
- Network Security: Deploy behind firewalls and use VPNs when appropriate
- Monitor Logs: Regularly review security logs and audit trails
We follow a coordinated disclosure model:
- Report received and acknowledged
- Investigation and verification of the vulnerability
- Fix development and testing
- Coordinated release of the fix
- Public disclosure after users have had time to update
- Immediate: For actively exploited vulnerabilities
- 30 days: For critical vulnerabilities with available fixes
- 90 days: For all other vulnerabilities with available fixes
- Extended: If fix requires significant architectural changes
We believe in recognizing security researchers who help improve our security:
- Security Hall of Fame: Public recognition on our website
- CVE Credits: Proper attribution in CVE databases
- Swag and Rewards: Gopteran merchandise for significant findings
- Early Access: Beta access to new features and releases
We are currently developing a formal bug bounty program. In the meantime:
- Responsible disclosure is always appreciated
- Recognition will be provided for valid security reports
- Coordination on disclosure timing is expected
- Good faith research is protected under our policy
- Security Team: security@gopteran.dev
- General Inquiries: hello@gopteran.dev
- Emergency Contact: emergency@gopteran.dev
Gopteran supports safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations and disruptions
- Only interact with accounts you own or with explicit permission
- Do not access or modify data belonging to others
- Report vulnerabilities promptly and allow reasonable time for fixes
- Do not publicly disclose vulnerabilities before coordinated disclosure
We will not pursue legal action against researchers who:
- Follow our responsible disclosure policy
- Act in good faith to identify and report security vulnerabilities
- Do not violate any applicable laws or regulations
- Do not access or modify data without authorization
This security policy may be updated from time to time. We will notify the community of significant changes through:
- GitHub releases and changelogs
- Discord announcements in our security channel
- Email notifications to registered security researchers
- Website updates on our security page
Thank you for helping keep Gopteran and our community safe. Your efforts to responsibly disclose security vulnerabilities help us maintain the trust of our users and the integrity of our systems.
Together, we can build a more secure ecosystem for everyone. π¦
Last updated: December 29, 2024
Version: 1.0