Security Policy & Responsible Disclosure

Stella Ops ships with signed releases, SPDX SBOMs, and no telemetry beacons. We do retain basic access logs for seven days to handle abuse, then hash & rotate them. Below is how to report vulnerabilities and what safeguards are already in place.

Reporting a vulnerability 🔒

Email our Vulnerability Response Team at security@stella‑ops.org (PGP fingerprint 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723).

Please include:

  • Description and potential impact
  • Reproduction steps or PoC
  • Relevant logs / screenshots
  • Your preferred disclosure timeline

We acknowledge within 72 h and keep you informed until a fix is published.

Existing safeguards ✅

LayerMeasure
Release integrityCosign‑signed artefacts + SPDX SBOM
Access logsStored 7 days, then ip → sha256(ip)
JWT quota ledgerStores token‑ID hash + daily counter; no email/IP
Soft throttleAt 90% daily scan quota the CLI displays a reminder; at 333 scans/day requests slow but never fail
Container hardeningNon‑root UID, cgroup CPU/RAM limits, SELinux/AppArmor
Air‑gap readySee Offline Kit

Zero‑telemetry promise 📉

  • No analytics, trackers, or third‑party JS in the web UI.
  • Access logs rotate at seven days; no profiling or fingerprinting.
  • Supplying a free JWT (333 scans/day) does not introduce extra tracking.

Hall of Thanks 🏆

Researchers following this process can be credited in release notes (opt‑in, naturally).