Stella Ops Security Policy & Responsible Disclosure
Version 3 · 2025‑07‑15
0 · Supported versions 🗓️
| Release line | Status | Security fix window |
|---|---|---|
| v0.1 α (late 2025) | Upcoming | 90 days after GA of v0.2 |
| v0.2 β (Q1 2026) | Planned | 6 months after GA of v0.3 |
| v0.3 β (Q2 2026) | Planned | 6 months after GA of v0.4 |
| v0.4 RC (Q3 2026) | Planned | Until v1.0 GA |
| v1.0 GA (Q4 2026) | Future LTS | 24 months from release |
Pre‑GA lines receive critical and high‑severity fixes only.
1 · How to report a vulnerability 🔒
| Channel | PGP‑encrypted? | Target SLA |
|---|---|---|
security@stella-ops.org | Yes – PGP key: /keys/#pgp | 72 h acknowledgement |
Matrix DM → @sec‑bot:libera.chat | Optional | 72 h acknowledgement |
Public issue with label security | No (for non‑confidential flaws) | 7 d acknowledgement |
Please include:
- Affected version(s) and environment
- Reproduction steps or PoC
- Impact assessment (data exposure, RCE, DoS, etc.)
- Preferred disclosure timeline / CVE request info
2 · Our disclosure process 📜
- Triage – confirm the issue, assess severity, assign CVSS v4 score.
- Patch development – branch created in a private mirror; PoCs kept confidential.
- Pre‑notification – downstream packagers & large adopters alerted 72 h before release.
- Co‑ordinated release – patched version + advisory (GHSA + CVE) + SBOM delta.
- Credits – researchers listed in release notes (opt‑in).
We aim for 30 days from report to release for critical/high issues; medium/low may wait for the next scheduled release.
3 · Existing safeguards ✅
| Layer | Control |
|---|---|
| Release integrity | cosign signatures + SPDX SBOM on every artefact |
| Build pipeline | Reproducible, fully declarative CI; SBOM diff verified in CI |
| Runtime hardening | Non‑root UID, distroless‑glibc base, SELinux/AppArmor profiles, cgroup CPU/RAM caps |
| Access logs | Retained 7 days, then sha256(ip) hash |
| Quota ledger | Stores token‑ID hash only, no plain e‑mail/IP |
| Air‑gap support | Signed Offline Update Kit (OUK) validated before import |
| Secure defaults | TLS 1.3 (or stronger via plug‑in), HTTP Strict‑Transport‑Security, Content‑Security‑Policy |
| SBOM re‑scan | Nightly cron re‑checks previously “clean” images against fresh CVE feeds |
4 · Cryptographic keys 🔑
| Purpose | Fingerprint | Where to fetch |
|---|---|---|
| PGP (sec‑team) | 3A5C 71F3 ... 7D9B | /keys/#pgp |
| Cosign release key | AB12 ... EF90 | /keys/#cosign |
Verify all downloads (TLS 1.3 by default; 1.2 allowed only via a custom TLS provider such as GOST):
cosign verify \
--key https://stella-ops.org/keys/cosign.pub \
registry.stella-ops.org/stella-ops/stella-ops:<VERSION>
5 · Private‑feed mirrors 🌐
The Concelier (vulnerability ingest/merge/export service) provides signed JSON and Trivy DB snapshots that merge:
- OSV + GHSA
- (optional) NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU regionals
The snapshot ships in every Offline Update Kit and is validated with an in‑toto SLSA attestation at import time.
6 · Hall of Thanks 🏆
We are grateful to the researchers who help keep Stella Ops safe:
| Release | Researcher | Handle / Org |
|---|---|---|
| empty | (your name here) |