Security Policy & Responsible Disclosure

We publish a cryptographically signed SBOM (.spdx.json) alongside every release, so you can verify the exact third-party components shipped.

Security Policy & Responsible Disclosure

We take security seriously. If you believe you have found a vulnerability in Stella Ops or any of our infrastructure, we encourage you to disclose it privately under the terms below so we can address it swiftly and responsibly.

🔍 Reporting a Vulnerability

Please send an e-mail to our dedicated Vulnerability Response Team at security@stella-ops.org, providing:

  • A clear description of the issue and its impact.
  • Steps to reproduce (proof-of-concept preferred).
  • Any relevant logs, screenshots or exploit code.
  • Your preferred disclosure timeline, if any.

We support encrypted reports – our PGP key fingerprint: 4E67 CD71 2B4A 85D5 9B9D  9C4A AC12 8D70 AEF3 5E99 (download: stella-ops-security.asc).

✅ Existing Safeguards

The default deployment already ships with several hardening measures: * Rootless DinD Actions runner isolating CI jobs. * Anonymous-pull / authenticated-push Docker Registry using 15-minute JWT tokens. * Public read-only repo access, disabled self-sign-up, and restricted user permissions.

🏆 Hall of Thanks

We gratefully acknowledge security researchers who follow this policy and help improve Stella Ops. With your consent we will list your name (or handle) in the release notes once a fix is published.

📜 License & Version

This document is released under the Creative Commons BY-SA 4.0 license and is version 1.1, last updated Invalid DateTime.

Email security@stella-ops.org (PGP available) with steps to reproduce.