Support policy: Releases within the last 90 days receive full support (security patches, bug fixes). Releases within the last 6 months receive best-effort assistance. Older releases are unsupported — please upgrade to the latest version. Review the release notes when upgrading.

We take the security of opnDossier seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, use one of the following channels:

1. GitHub Private Vulnerability Reporting (preferred)
2. Email support@evilbitlabs.io encrypted with our PGP key (verify the full fingerprint below before use)

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

In scope:

• Vulnerabilities in opnDossier's XML parser (e.g., XXE, billion laughs)
• Path traversal in file input/output handling
• Command injection via CLI arguments
• Information disclosure in generated reports

Out of scope:

• Vulnerabilities in OPNsense itself
• Issues requiring physical access to the machine running opnDossier
• Social engineering attacks

Note: This is a passion project with volunteer maintainers. Response times are best-effort and may vary based on maintainer availability.

• We will acknowledge receipt of your report within 1 week
• We will provide an initial assessment within 2 weeks
• We aim to release a fix within 90 days of confirmed vulnerabilities
• We will coordinate disclosure through a GitHub Security Advisory
• We will credit you in the advisory (unless you prefer to remain anonymous)

Once a confirmed vulnerability is triaged:

1. Triage: we determine severity, affected versions, and scope.
2. Fix: we develop the patch on a private branch; critical issues are fast-tracked.
3. Ship: the fix ships either in the next scheduled release or as a hotfix (see RELEASING.md § Hotfix / security releases for the hotfix procedure).
4. Backport: supported branches (per the Supported Versions table above) receive the fix. Unsupported branches do not.
5. Disclosure: the Security Advisory is published once users have had reasonable time to upgrade.

We ask that you:

• Give us reasonable time to respond to issues before any disclosure
• Avoid accessing or modifying other users' data
• Avoid actions that could negatively impact other users

When using opnDossier:

• Keep your OPNsense configuration files secure
• Regularly update to the latest version
• Review generated reports for sensitive information before sharing
• Use appropriate file permissions for configuration files (0600)

opnDossier includes several security-focused features:

• Memory-safe implementation: Pure Go with no unsafe package usage
• XXE-safe parsing: Go's encoding/xml does not support external entities or DTD processing
• Offline-first design: No network access at runtime; built for airgapped environments
• Typed data handling: All XML elements map to strictly typed Go structs with validation
• Continuous vulnerability scanning (.github/workflows/security.yml, on push/PR and weekly):
  • govulncheck against the Go vulnerability database
  • Trivy filesystem scan (dependencies + misconfiguration), results uploaded to GitHub code scanning
• CodeQL semantic analysis: GitHub's repository-level default setup for code scanning (Security → Code scanning). Advanced-setup CodeQL is intentionally not in the workflow — GitHub rejects the SARIF upload when default setup is enabled.
• Supply-chain posture: OSSF Scorecard analysis (.github/workflows/scorecard.yml)
• Automated dependency updates: Dependabot (.github/dependabot.yml)
• Supply chain transparency: CycloneDX SBOMs and Sigstore attestations per release

For a full security assurance case, see docs/security/security-assurance.md.

We support safe harbor for security researchers who:

• Make a good faith effort to avoid privacy violations, data destruction, and service disruption
• Only interact with accounts you own or with explicit permission of the account holder
• Report vulnerabilities through the channels described above

We will not pursue legal action against researchers who follow this policy.

Fingerprint: F839 4B2C F0FE C451 1B11 E721 8F71 D62B F438 2BC0

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaLJmxhYJKwYBBAHaRw8BAQdAaS3KAoo+AgZGR6G6+m0wT2yulC5d6zV9lf2m
TugBT+O0L3N1cHBvcnRAZXZpbGJpdGxhYnMuaW8gPHN1cHBvcnRAZXZpbGJpdGxh
YnMuaW8+iNcEExYKAH8DCwkHRRQAAAAAABwAIHNhbHRAbm90YXRpb25zLm9wZW5w
Z3Bqcy5vcmexd21FpCDfIrO7bf+T6hH/8drbGLWiuEueWvSTyw4T/QMVCggEFgAC
AQIZAQKbAwIeARYhBPg5Syzw/sRRGxHnIY9x1iv0OCvABQJpiUiCBQkIXQE5AAoJ
EI9x1iv0OCvAm2sA/AqFT6XEULJCimXX9Ve6e63RX7y2B+VoBVHt+PDaPBwkAP4j
39xBoLFI6KZJ/A7SOQBkret+VONwPqyW83xfn+E7Arg4BGiyZsYSCisGAQQBl1UB
BQEBB0ArjU33Uj/x1Kc7ldjVIM9UUCWMTwDWgw8lB/mNESb+GgMBCAeIvgQYFgoA
cAWCaLJmxgkQj3HWK/Q4K8BFFAAAAAAAHAAgc2FsdEBub3RhdGlvbnMub3BlbnBn
cGpzLm9yZ4msIB6mugSL+LkdT93+rSeNePtBY4Aj+O6TRFU9aKiQApsMFiEE+DlL
LPD+xFEbEechj3HWK/Q4K8AAALEXAQDqlsBwMP2XXzXDSnNNLg8yh1/zQcxT1zZ1
Z26lyM7L6QD+Lya5aFe74WE3wTys5ykGuWkHYEgba+AyZNmuPhwMGAc=
=9zSi
-----END PGP PUBLIC KEY BLOCK-----

For general security questions, open a GitHub Issue. For vulnerability reports, use Private Vulnerability Reporting or email support@evilbitlabs.io.

Thank you for helping keep opnDossier and its users secure!