|
1 | 1 | # Security Policy |
2 | 2 |
|
3 | | -## Reporting a Vulnerability |
| 3 | +## Reporting Vulnerabilities |
4 | 4 |
|
5 | | -**Do not** open a public GitHub issue for security vulnerabilities. |
| 5 | +Email: alexa@blackroad.io |
6 | 6 |
|
7 | | -Email **security@blackroad.io** with: |
8 | | - |
9 | | -1. Description of the vulnerability |
10 | | -2. Steps to reproduce |
11 | | -3. Potential impact |
12 | | -4. Suggested fix (if any) |
13 | | - |
14 | | -### Response Timeline |
15 | | - |
16 | | -| Phase | Timeline | |
17 | | -|-------|----------| |
18 | | -| Initial response | 24 hours | |
19 | | -| Triage and assessment | 72 hours | |
20 | | -| Fix development | 7-14 days | |
21 | | -| Coordinated disclosure | 90 days | |
| 7 | +Do NOT open public issues for security vulnerabilities. |
22 | 8 |
|
23 | 9 | ## Supported Versions |
24 | 10 |
|
25 | | -| Version | Status | |
26 | | -|---------|--------| |
27 | | -| Latest on `main` | Active support | |
28 | | -| Previous releases | Security fixes only | |
29 | | - |
30 | | -## Architecture |
31 | | - |
32 | | -All LLM provider communication flows through the tokenless gateway. Agents never embed API keys. |
33 | | - |
34 | | -``` |
35 | | -Agent --> Gateway (localhost:8787) --> Provider (Ollama / Claude / OpenAI) |
36 | | -``` |
37 | | - |
38 | | -### Authentication |
39 | | - |
40 | | -| Component | Method | |
41 | | -|-----------|--------| |
42 | | -| API | JWT via auth.blackroad.io | |
43 | | -| CLI | Token-based | |
44 | | -| Fleet SSH | Public key authentication | |
45 | | -| Cloudflare Workers | Wrangler auth | |
46 | | -| MCP Bridge | Bearer token | |
47 | | - |
48 | | -### Infrastructure Security |
| 11 | +Only the latest version on `main` is supported. |
49 | 12 |
|
50 | | -- **Cloudflare Tunnel** terminates TLS for all public endpoints |
51 | | -- **WireGuard** encrypts all inter-node traffic (10.8.0.x mesh) |
52 | | -- **Pi-hole** filters DNS on the fleet |
53 | | -- **UFW** on Lucidia (INPUT DROP policy) |
54 | | -- **NOPASSWD sudo** limited to operational users on each node |
55 | | -- **Secrets** stored in `~/.blackroad/` with 600 permissions, never in code |
| 13 | +## Security Practices |
56 | 14 |
|
57 | | -### Automated Scanning |
58 | | - |
59 | | -| Scan | Tool | Frequency | |
60 | | -|------|------|-----------| |
61 | | -| Static analysis | CodeQL | Every PR | |
62 | | -| Dependencies | Dependabot | Daily | |
63 | | -| Secret detection | GitHub Secret Scanning | Every commit | |
64 | | -| Shell linting | ShellCheck | CI on every push | |
65 | | - |
66 | | -## For Contributors |
67 | | - |
68 | | -1. Never commit secrets, tokens, or credentials |
69 | | -2. Use environment variables or `.env` files (gitignored) |
70 | | -3. Use parameterized queries for all database access |
71 | | -4. Validate input at system boundaries |
72 | | -5. Keep dependencies updated (`npm audit`, `pip-audit`) |
73 | | - |
74 | | -## Scope |
75 | | - |
76 | | -| In Scope | Out of Scope | |
77 | | -|----------|--------------| |
78 | | -| *.blackroad.io | Third-party services | |
79 | | -| API endpoints | Social engineering | |
80 | | -| Agent infrastructure | Physical access attacks | |
81 | | -| Authentication and authorization | Denial of service | |
82 | | - |
83 | | -## Contact |
84 | | - |
85 | | -| Role | Contact | |
86 | | -|------|---------| |
87 | | -| Security Lead | security@blackroad.io | |
88 | | -| Backup | blackroad.systems@gmail.com | |
| 15 | +- All secrets in env files with chmod 600 |
| 16 | +- No API tokens in code |
| 17 | +- WireGuard for inter-node traffic |
| 18 | +- Cloudflare proxy for all public endpoints |
| 19 | +- UFW on all exposed nodes |
| 20 | +- SSH key auth only (password auth disabled) |
| 21 | +- Quarterly SSH key audit |
89 | 22 |
|
90 | 23 | --- |
91 | | - |
92 | | -BlackRoad OS, Inc. -- Pave Tomorrow. |
| 24 | +*BlackRoad OS, Inc. All rights reserved.* |
0 commit comments