This document outlines the security policies and procedures for the NETBPF project, a system concern of KhulnaSoft. It focuses on networking, security, and observability best practices for eBPF-based systems and infrastructure.

• Security Team: security@khulnasoft.com
• Emergency: +880 (1614) 202520
• PGP Key: Download
• Security Updates: KhulnaSoft Security Advisories

• BPF/eBPF Security
• Network Security
• Code Security
• GitHub Security Features
• Vulnerability Disclosure
• Security Updates
• Incident Response
• Compliance

• Mandatory: Enable kernel.unprivileged_bpf_disabled=1 to prevent unprivileged BPF usage
• LSM Integration: Utilize BPF LSM (Linux Security Module) hooks for fine-grained access control
• Type Safety: Implement BPF Type Format (BTF) for better introspection and verification
• Capability Restrictions: Restrict BPF program capabilities using capabilities(7) and seccomp filters
• Namespace Isolation: Run BPF programs in dedicated namespaces when possible
• Kernel Version: Require minimum kernel version 5.10+ for production deployments

• Verification: All BPF programs must pass the kernel verifier with strictest settings
• Feature Stability: Only use features marked as stable in the kernel documentation
• Input Validation: Implement comprehensive bounds checking and input validation
• CO-RE Compliance: Use BPF CO-RE (Compile Once - Run Everywhere) for portability
• Verification Logs: Enable and monitor BPF verifier logs in development environments

• Resource Limits:
  • Set memory limits using rlimit(MEMLOCK)
  • Limit instruction complexity and count
  • Enforce CPU time limits
• Monitoring:
  • Use bpftool prog show for runtime inspection
  • Monitor with perf and BPF introspection tools
  • Set up alerts for abnormal behavior
• Memory Safety:
  • Use bounded loops with verifiable exit conditions
  • Initialize all variables
  • Avoid unbounded map iterations
• Map Security:
  • Use appropriate map types (e.g., LRU maps for caches)
  • Implement proper locking mechanisms
  • Regularly audit map usage and sizes

• eBPF Programs:
  • Implement proper packet validation
  • Use bounded loops for packet processing
  • Validate all packet offsets and lengths
• Firewall Rules:
  • Default deny all
  • Explicitly allow required traffic
  • Log all dropped packets

• TLS/SSL:
  • Enforce TLS 1.3 where possible
  • Use strong cipher suites
  • Implement certificate pinning
• Secrets Management:
  • Never hardcode credentials
  • Use secure secret storage
  • Rotate keys and certificates regularly

• Required Tools:
  • CodeQL for static analysis
  • Coverity for deep code analysis
  • Semgrep for custom rule checking
• Policy:
  • Zero tolerance for critical/high severity issues
  • Weekly security scans
  • Pre-commit hooks for basic checks

• Requirements:
  • Use only audited dependencies
  • Regular dependency updates
  • SBOM (Software Bill of Materials) for all releases
• Monitoring:
  • Dependabot for vulnerability alerts
  • Automated scanning of dependencies
  • Immediate patching of critical vulnerabilities

• Branch Protection:
  • Require pull request reviews
  • Require status checks to pass
  • Require linear history
  • Require signed commits
• Actions Security:
  • Limit GitHub Actions to specific paths
  • Require approval for first-time contributors
  • Pin actions to full length commit SHA

• Repository Settings:
  • Enable vulnerability alerts
  • Enable automated security fixes
  • Require 2FA for all contributors
• Code Scanning:
  • Enable CodeQL analysis
  • Run on push and pull requests
  • Fail build on critical findings

1. Private Reporting:
   • Primary: security@khulnasoft.com (GPG: key)
   • Secondary: security@netbpf.org (forwards to KhulnaSoft Security)
   • Use GitHub Security Advisories for non-critical issues
2. Required Information:
   • Description of the vulnerability
   • Steps to reproduce
   • Impact assessment
   • Suggested fixes or mitigation

• Critical: Response within 24 hours
• High: Response within 72 hours
• Medium/Low: Response within 7 business days

• Scope: All repositories under KhulnaSoft's NETBPF project
• Managed By: KhulnaSoft Security Team
• Program: KhulnaSoft Bug Bounty Program
• Rewards: Based on CVSS score and impact
• Exclusions:
  • Theoretical vulnerabilities
  • Self-XSS
  • CSRF with no security impact

• Critical: Patch within 24 hours
• High: Patch within 7 days
• Medium: Patch within 30 days
• Low: Patch in next regular release

• Version Support:
  • Current and previous major versions
  • 6 months of support after EOL announcement
  • Security fixes only for EOL versions

1. Identification: Detect and confirm security incident
2. Containment: Limit the scope and impact
3. Eradication: Remove the root cause
4. Recovery: Restore affected systems
5. Post-Mortem: Document and learn from the incident

• Internal: Immediate notification to security team
• Users: Transparent disclosure within 72 hours of patch availability
• Regulatory: Comply with all applicable laws and regulations

• OWASP Top 10
• CIS Benchmarks
• NIST Cybersecurity Framework
• BPF-specific security guidelines

• Frequency: Quarterly security audits
• Scope: All production systems and code
• Remediation: 30-day SLA for critical findings
• Audit Reports: Available to KhulnaSoft enterprise customers upon request
• Compliance: Audits conducted by KhulnaSoft's internal security team and third-party auditors

KhulnaSoft
Security Team
security@khulnasoft.com
KhulnaSoft Security Portal

Last Updated: 2025-03-19

• All network access to NETBPF infrastructure must be authenticated and authorized
• Use of VPN or zero-trust network access (ZTNA) is required for administrative access
• Implement network segmentation to isolate critical components
• Restrict inbound and outbound traffic using security groups and network ACLs

• All network traffic must be encrypted in transit using TLS 1.2 or higher
• Use strong cipher suites and disable weak protocols (SSLv3, TLS 1.0, TLS 1.1)
• Implement certificate pinning where applicable
• Use forward secrecy for all TLS connections

• Restrict BPF system calls using seccomp filters
• Implement BPF LSM restrictions to control program loading
• Monitor BPF program loading/unloading events
• Use BPF Type Format (BTF) for better security monitoring

• Enforce multi-factor authentication (MFA) for all administrative access
• Implement role-based access control (RBAC) with least privilege principle
• Use short-lived credentials and tokens with automatic rotation
• Regularly review and revoke unnecessary permissions

• Perform regular security scanning of all code and dependencies
• Patching policy: Critical vulnerabilities must be patched within 7 days, high within 30 days
• Use automated dependency updates with security scanning
• Maintain an inventory of all assets and their security status

• Use BPF-based tools (BCC, bpftrace) for low-overhead system monitoring
• Implement BPF-based network traffic analysis and anomaly detection
• Monitor BPF program execution and resource usage
• Track BPF map operations and memory usage

• All systems must generate and retain logs for at least 90 days
• Logs must include:
  • Authentication and authorization events
  • System events and errors
  • Network connections
  • Configuration changes
  • Sensitive operations

• Implement real-time monitoring for security events
• Set up alerts for suspicious activities including:
  • Multiple failed login attempts
  • Unusual data transfers
  • Configuration changes
  • Unauthorized access attempts
• Use SIEM (Security Information and Event Management) for centralized log analysis

• Maintain an incident response plan with clear roles and responsibilities
• Report security incidents to security@khulnasoft.com
• Conduct post-incident reviews and document lessons learned
• Notify affected parties in case of data breaches as per applicable laws

• Follow BPF best practices from the Linux kernel documentation (https://www.kernel.org/doc/html/latest/bpf/index.html)
• Use the latest stable versions of libbpf and BPF CO-RE features
• Implement comprehensive error handling and logging in BPF programs:
  • Log all security-relevant events
  • Include program and map identifiers in logs
  • Implement rate limiting for logging to prevent log flooding
• Use BPF Type Format (BTF) for better debugging and introspection
• Regularly update BPF-related dependencies and tooling
• Implement proper cleanup of BPF resources (maps, programs, links)
• Use BPF LSM (Linux Security Module) hooks for additional security controls
• Implement proper map permissions (read-only, write-only, read-write) based on requirements

• Follow OWASP Top 10 guidelines for secure coding (https://owasp.org/Top10/)
• Perform mandatory security-focused code reviews for all BPF programs and related code
• Implement automated security testing in CI/CD pipelines:
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Software Composition Analysis (SCA) for dependencies
• Implement secure software development lifecycle (SDLC) with security gates
• Use automated fuzz testing for BPF programs (e.g., using libfuzzer)
• Implement proper input validation and sanitization for all BPF program inputs
• Follow principle of least privilege for BPF program capabilities

• Maintain an up-to-date inventory of all dependencies, including:
  • BPF toolchain versions
  • Kernel headers and development packages
  • Library dependencies (libbpf, LLVM, etc.)
• Use dependency verification:
  • GPG signatures for packages
  • Checksum verification for all downloaded artifacts
  • Reproducible builds where possible
• Monitor for security advisories:
  • Subscribe to kernel security mailing lists
  • Monitor CVE databases for BPF-related vulnerabilities
  • Track security updates for all dependencies
• Maintain a detailed Software Bill of Materials (SBOM) including:
  • All direct and transitive dependencies
  • Version information
  • License information
  • Known vulnerabilities

• Follow kernel BPF development best practices and security guidelines
• Maintain documentation of all BPF programs and their purposes
• Implement audit trails for BPF program loading and execution
• Regular security reviews of BPF programs and their interactions with the kernel
• Comply with relevant regulations (GDPR, CCPA, etc.)
• Regular security audits and penetration testing
• Document and maintain security policies and procedures
• Provide security awareness training for all contributors

If you discover a security vulnerability in any NETBPF project, please report it to:

• Email: security@khulnasoft.com
• Please include details about the vulnerability and steps to reproduce it
• We will acknowledge receipt of your report within 48 hours
• We will keep you informed about the progress towards fixing the issue

• Maintain capability to quickly disable BPF programs in case of security incidents
• Have rollback procedures for BPF program updates
• Monitor for suspicious BPF program behavior
• Document and analyze any BPF-related security incidents

This policy will be reviewed and updated at least quarterly or as needed to address emerging threats and changes in the security landscape, with special attention to BPF/eBPF security developments.

Last Updated: November 2025 Version: 2.0