Skip to content

Latest commit

 

History

History
38 lines (25 loc) · 1.62 KB

File metadata and controls

38 lines (25 loc) · 1.62 KB

Security Policy

This document outlines how to report security issues in the Alfa Arsenal control plane.

Supported Versions

Security updates are applied to the current main branch. Users are encouraged to run the latest commit and to review release notes before deploying in an assessment environment.

Reporting a Vulnerability

If you discover a security vulnerability or a weakness in the platform control plane (API, gRPC, authentication, evidence handling, policy enforcement, or orchestration), please report it privately:

  1. Open a draft security advisory through the GitHub repository, or
  2. Email the maintainers directly if a contact address is published in the repository metadata.

Please include:

  • A clear description of the issue and its potential impact.
  • Steps to reproduce, or a minimal proof of concept where applicable.
  • The version or commit hash you tested against.
  • Any suggested mitigation or patch.

We aim to acknowledge reports within five business days and to provide a timeline for a fix or mitigation within fourteen business days.

Public Disclosure

To protect users, we request that you do not publicly disclose a vulnerability until a fix has been released and a reasonable period has passed for users to upgrade. We will coordinate disclosure and credit reporters who follow this process, unless they prefer to remain anonymous.

Scope

Reports should focus on the Alfa Arsenal control plane. Vulnerabilities in third-party tools, drivers, or operating-system components should generally be reported to the respective upstream projects, though we are happy to help route reports appropriately.