Security & Responsible Disclosure

Stella Ops Suite is designed for verifiable release governance:

  • Releases are CosignContainer signing tool from Sigstore project for signing and verifying container images and artifacts-signed
  • Evidence exports are DSSEDead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures-attested
  • Policies and decisions can be replayed deterministically for audit

Security & Compliance Pack

Need procurement-ready security documentation? The pack covers architecture, crypto profiles, logging/retention, and verification artifacts.

Request the Security Pack Verification keys

Includes questionnaires (SIG/CAIQ), hardening guidance, SBOM/provenance, and verification steps.

Report a vulnerability

Email: security@stella-ops.org

PGP: 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723

Please include:

  • Impact + affected component/version
  • Reproduction steps or PoC
  • Relevant logs/screenshots
  • Your preferred disclosure timeline

We acknowledge within 72 hours and keep you informed until a fix is published.

Verify what you run

Keys: /keys/

Verify a container image

cosign verify \
  --key https://stella-ops.org/keys/cosign.pub \
  registry.stella-ops.org/stella-ops/stella-ops:<VERSION>

Verify an Offline Kit tarball + signed manifest

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
  stella-ops-offline-kit-<DATE>.tgz

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature offline-manifest-<DATE>.json.jws \
  offline-manifest-<DATE>.json

Safeguards in service

  • Release integrity: CosignContainer signing tool from Sigstore project for signing and verifying container images and artifacts signatures + DSSEDead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures bundles referencing the exact Git tag
  • Evidence chain: Decision Capsules are signed and replayable (see /evidence/)
  • Access logs: stored 7 days, then ip → sha256(ip)
  • JWT access ledger: stores token-ID hash only (no email/IP)
  • Token validation: can be verified offline using published public keys
  • Container hardening: non-root UID, CPU/RAM limits, SELinux/AppArmor support
  • Air-gap parity: Offline Kit (see /offline/)

No mandatory telemetry

No analytics, trackers, pixels, or third-party JS in the web UI. Product telemetry is disabled by default and strictly opt-in.

Privacy details: /privacy/