Cloudfence WVAgents is designed for production security environments.

This document outlines the responsible disclosure process and recommended security practices.

Security updates are provided for the most recent release of the project.

Users are encouraged to keep deployments updated.

If you discover a security vulnerability, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead contact:

https://cloudfence.com.br
https://cloudfence.eu

Include:

• description of the issue
• reproduction steps
• affected version
• potential impact

We aim to acknowledge reports within 72 hours.

WVAgents follows these operational safety rules:

• no hardcoded credentials
• configuration-driven runtime
• no embedded infrastructure endpoints
• strict log routing rules
• isolated jails per device

For production environments:

• restrict root access on the WVAgents host
• secure configuration file permissions
• review rsyslog routing rules
• audit PF firewall rules when enabled
• rotate Wazuh manager keys regularly

Configuration file permissions should be:

chmod 600 /usr/local/cloudfence/etc/cloudfence.conf

Sensitive data such as:

MANAGER_KEY
API tokens
credentials

must never be committed to the repository.

Use environment-specific configuration files instead.

Cloudfence supports responsible disclosure practices.

Researchers who report valid vulnerabilities will be acknowledged once the issue is resolved.