We release patches for security vulnerabilities for the following versions:

We take the security of Bud seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Open a public GitHub issue for security vulnerabilities
• Disclose the vulnerability publicly before it has been addressed

Report security vulnerabilities via GitHub Security Advisories:

1. Go to the Security tab of the repository
2. Click "Report a vulnerability"
3. Fill out the form with details about the vulnerability

Or email us directly:

Send details to: security@mskutin.com (replace with actual email)

Please include the following information in your report:

• Type of vulnerability (e.g., authentication bypass, injection, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability, including how an attacker might exploit it

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
• Updates: We will send you regular updates about our progress
• Timeline: We aim to address critical vulnerabilities within 7 days
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

When using Bud:

• Never commit AWS credentials to version control
• Use IAM roles with least-privilege permissions
• Rotate credentials regularly
• Use AWS SSO or temporary credentials when possible

• Keep .Bud.yaml out of version control (it's in .gitignore)
• Use environment variables for sensitive configuration
• Review configuration files before sharing

• Use dedicated IAM roles for cross-account access
• Implement role assumption with external ID for additional security
• Regularly audit role permissions

• Run with minimum required AWS permissions
• Use read-only permissions where possible
• Review recommendations before applying changes
• Test in non-production environments first

This tool requires:

• Read access to AWS Cost Explorer API
• Read access to AWS Budgets API
• Read access to AWS Organizations API (for multi-account)
• Optional: AssumeRole permissions for cross-account access

• Cost data is processed in-memory only
• No data is sent to external services
• JSON exports contain cost information - handle appropriately
• Logs may contain account IDs - review before sharing

We use Dependabot to monitor dependencies for known vulnerabilities. Security updates are applied promptly.

Security updates will be released as patch versions (e.g., 1.0.1) and announced via:

• GitHub Security Advisories
• GitHub Releases
• Repository README

Subscribe to repository notifications to stay informed about security updates.

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find similar problems
3. Prepare fixes for all supported versions
4. Release new versions as soon as possible
5. Publish a security advisory on GitHub

If you have suggestions on how this process could be improved, please submit a pull request or open an issue.