We release security patches for the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Preferred: Use GitHub Security Advisories to report privately through GitHub
3. Alternative: Email security concerns to: security@rocketride.ai
4. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Resolution Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-30 days
  • Medium: 30-90 days
  • Low: Next release cycle

• We will coordinate disclosure with you
• We request a 90-day disclosure window for non-critical issues
• We will credit reporters (unless anonymity is requested)

This project uses GitHub-native scanning on the develop branch — CodeQL (Default Setup), Secret Scanning with Push Protection, Scorecard, and Dependabot. CodeQL and Scorecard findings both surface as code scanning alerts in the same GitHub UI and share the dismissal workflow described below. All findings are triaged against the SLAs in What to Expect.

To prevent unilateral dismissal of security findings, this repository operates under GitHub's Delegated Alert Dismissal, enabled at the rocketride-org organization level:

1. Request — any maintainer with write access can submit a dismissal request. The request must include a documented justification: compensating controls, mitigation rationale, or basis for "won't fix". This justification is recorded as the dismissal comment on the alert.
2. Approval — must be given by a different authorized reviewer under GitHub Delegated Alert Dismissal (organization owner, security manager, or explicitly delegated custom role). The requester cannot self-approve.
3. Dismissal — GitHub auto-applies the dismissal once approval lands. The full request → approval → dismissal trail is preserved on the alert and serves as the system-of-record for audit.

Direct (one-step) dismissal is blocked at the organization level.

When closing an alert, choose one of:

• Secret Scanning Push Protection is enabled org-wide. Pushes containing detected secrets are blocked at push time; bypasses require committer justification and are recorded in the audit log.
• Secret Scanning alerts for secrets already in the repository follow the same two-person Delegated Alert Dismissal flow (request by any write-access maintainer; approval by a different organization owner, security manager, or holder of an explicitly delegated custom role; auto-dismissal with audit trail).
• Dependabot alerts follow the same two-person Delegated Alert Dismissal flow described above:
  • Request by any write-access maintainer; approval by a different organization owner, security manager, or holder of an explicitly delegated custom role.
  • Dismissal reason and any SLA exception must be recorded in the dismissal comment.
  • Fixes are tracked via Dependabot security update PRs against the SLAs above.

When using RocketRide Engine:

1. Keep Updated: Always use the latest version
2. Credentials: Never commit credentials or secrets
3. Dependencies: Regularly update dependencies
4. Access Control: Implement proper access controls
5. Encryption: Use encryption for sensitive data

RocketRide Engine includes several security features:

• Encryption: Support for data encryption at rest and in transit
• Authentication: Configurable authentication mechanisms
• Keystore: Secure key management
• Audit Logging: Comprehensive activity logging

Thank you for helping keep RocketRide Engine secure!