OpenSOP is an open standard and runtime that exposes business processes as APIs. Processes run automated scripts, evaluate conditions, and call external systems — so security bugs in the engine can have real blast radius. We take vulnerability reports seriously.
Please do NOT open a public issue for security reports.
Use one of these channels, in order of preference:
- GitHub Security Advisory (preferred) — go to the Security tab and click "Report a vulnerability." This keeps the report private and gives us an audit trail.
- Email —
abkuri88@gmail.comwith subject prefix[OpenSOP security]. PGP key available on request.
A good report includes:
- Affected version (commit SHA or tag).
- A clear description of the vulnerability and its impact.
- Reproduction steps — the simpler, the better. A failing spec is gold.
- Any suggested fix or mitigation, if you have one.
We aim for:
- Acknowledgement within 72 hours.
- Initial assessment (severity, scope, reproduction confirmed) within 7 days.
- Fix or mitigation for high-severity issues within 30 days. Lower-severity issues land on the next release cycle.
If a report is out of scope (e.g. social engineering, physical attacks, denial-of-service via brute compute), we'll tell you why and close the advisory.
This repo is the spec and the CLI. Server/runtime security belongs in the reference server repo.
In scope (this repo):
cli/bin/opensop— the local execution backend: shell step execution, local file access,run:path resolution, subprocess depth enforcement.SPEC.md— the format and API contract: ambiguities or underspecified behavior that would lead a conforming implementation to be insecure.- Sandbox / privilege boundaries between user-supplied
.sop.jsonprocess definitions and the host environment (local CLI execution).
Out of scope (report to Chosen9115/opensop-rails instead):
- The Rails server engine — parsing, instance execution, step executors, REST API, admin UI.
- Authentication and authorization (
X-SOP-Token, basic auth on/ui). - Default server deployment configuration (
Dockerfile,bin/deploy,config/). - Issues that require the attacker to already have valid
X-SOP-TokenAND admin credentials. - Vulnerabilities in third-party gems — please report those upstream. We'll bump the dep once a fix is published.
- Process definitions in
processes/examples/having unsafe patterns when run in a real deployment — those are illustrative, not hardened. We'll harden them on request, but it's not a CVE. - Issues only reachable in a custom downstream fork's private processes.
We follow coordinated disclosure:
- We work with the reporter to confirm and fix the issue privately.
- Once a patched release is out, we publish the advisory with credit to the reporter (unless they prefer anonymity).
- We backport fixes to supported versions where reasonable.
OpenSOP is pre-1.0. The following are supported for security fixes:
| Version | Supported |
|---|---|
main |
✅ |
Latest v0.2.x tag |
✅ |
Older v0.x tags |
❌ — please upgrade |
Once 1.0 ships we'll expand this matrix to include the previous minor.
Reporters who find verified vulnerabilities will be credited here unless they prefer otherwise.