|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +The `osctrl` project takes security vulnerabilities seriously. |
| 6 | + |
| 7 | +If you believe you have found a security issue in `osctrl`, **please do not open a public GitHub issue**. |
| 8 | + |
| 9 | +Instead, report it responsibly by emailing: |
| 10 | + |
| 11 | +📧 <osctrl-security@jmpsec.com> |
| 12 | + |
| 13 | +Please include: |
| 14 | + |
| 15 | +- A clear description of the vulnerability |
| 16 | +- Steps to reproduce (proof of concept if possible) |
| 17 | +- Affected versions or components |
| 18 | +- Potential impact (e.g., RCE, privilege escalation, data exposure) |
| 19 | +- Any suggested mitigation or fix (if available) |
| 20 | + |
| 21 | +We will acknowledge receipt of your report as soon as possible and work with you to assess and remediate the issue. |
| 22 | + |
| 23 | +--- |
| 24 | + |
| 25 | +## Supported Versions |
| 26 | + |
| 27 | +Security fixes are provided for the **latest released version** of `osctrl`. |
| 28 | + |
| 29 | +Users are strongly encouraged to keep their deployments up to date and follow release notes closely, especially for **breaking changes** and security-related updates. |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## Disclosure Policy |
| 34 | + |
| 35 | +We follow a **responsible disclosure** process: |
| 36 | + |
| 37 | +- Reporters will receive confirmation of the vulnerability report. |
| 38 | +- We will investigate and validate the issue. |
| 39 | +- We will work on a fix and coordinate a release. |
| 40 | +- Public disclosure will occur **after a fix is available**, or in coordination with the reporter when appropriate. |
| 41 | + |
| 42 | +We appreciate responsible disclosure and will credit reporters when possible (unless anonymity is requested). |
| 43 | + |
| 44 | +--- |
| 45 | + |
| 46 | +## Security Considerations |
| 47 | + |
| 48 | +`osctrl` is a security-sensitive system that manages endpoint telemetry and remote query execution. Operators should take care to: |
| 49 | + |
| 50 | +- Secure API endpoints and credentials |
| 51 | +- Use TLS and strong authentication mechanisms |
| 52 | +- Restrict access to administrative interfaces |
| 53 | +- Monitor logs and audit trails |
| 54 | +- Apply upgrades promptly, especially for security-related releases |
| 55 | + |
| 56 | +--- |
| 57 | + |
| 58 | +## Third-Party Dependencies |
| 59 | + |
| 60 | +`osctrl` relies on third-party open source components. Dependency updates and security fixes are regularly tracked and applied. |
| 61 | + |
| 62 | +If a vulnerability is discovered in a third-party dependency that affects `osctrl`, it should be reported following the same process above. |
| 63 | + |
| 64 | +--- |
| 65 | + |
| 66 | +## Acknowledgements |
| 67 | + |
| 68 | +We thank the security community for helping keep `osctrl` and its users safe. |
0 commit comments