We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
You can report security vulnerabilities through:
-
GitHub Security Advisory (Preferred)
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- This allows private discussion until a fix is ready
-
Email
- Send details to: security@lerian.studio
- PGP key available for encrypted communications
- We recommend Mailvelope for email encryption
Please do NOT disclose the vulnerability publicly until we have addressed it.
| Action | Timeframe |
|---|---|
| Acknowledgment | Within 24 hours |
| Initial assessment | Within 72 hours |
| Status update | Within 7 days |
| Resolution target | Within 90 days (severity dependent) |
- Initial Contact: You submit vulnerability via GitHub Advisory or email
- Acknowledgment: We confirm receipt within 24 hours
- Verification: Our security team verifies the vulnerability
- Assessment: We determine severity and potential impact
- Resolution: We develop and deploy a fix
- Notification: We inform you of the resolution
- Public Disclosure: We coordinate with you to disclose responsibly
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Security fixes only |
| Older versions | No |
We recommend always running the latest version.
- Authentication and authorization vulnerabilities
- Data exposure or leakage
- Injection vulnerabilities (SQL, command, etc.)
- Cryptographic issues
- Business logic flaws
- Exploitable vulnerabilities in dependencies as used by this project
- Denial-of-service (DoS) attacks
- Social engineering
- Physical security
- Vulnerabilities in dependencies that are not reachable or exploitable in this project (report to upstream)
When deploying this application:
- Never hardcode secrets - Use environment variables or secrets management (e.g., HashiCorp Vault)
- Keep updated - Regularly update to the latest version
- Secure configuration - Follow our documentation for secure setup
- Network security - Use TLS, firewalls, and network segmentation
- Access control - Apply principle of least privilege
For local development, use .env files copied from the .env.example files provided in the repository. These files are gitignored and should never be committed.
Use an external secrets manager to inject secrets at runtime:
| Solution | Use Case | Documentation |
|---|---|---|
| HashiCorp Vault | Self-hosted, multi-cloud | https://www.vaultproject.io/ |
| AWS Secrets Manager | AWS-native workloads | https://aws.amazon.com/secrets-manager/ |
| Azure Key Vault | Azure-native workloads | https://azure.microsoft.com/services/key-vault/ |
| GCP Secret Manager | GCP-native workloads | https://cloud.google.com/secret-manager |
| External Secrets Operator | Kubernetes (any cloud) | https://external-secrets.io/ |
We appreciate security researchers who help keep our project secure. With your permission, we'll acknowledge your contribution in our release notes.
- Security Email: security@lerian.studio
- General Issues: Use GitHub Issues for non-security bugs