If you discover a security issue in DecisionBox, please report it responsibly. Do not open a public issue.
Email security@decisionbox.io with:
- Description of the issue
- Steps to reproduce
- Affected versions/components
- Any potential impact assessment
- Acknowledgment within 48 hours
- Assessment within 5 business days
- Fix timeline communicated after assessment
- Credit given in the security advisory (unless you prefer to remain anonymous)
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Security fixes only |
| Older versions | No |
The following are in scope:
- DecisionBox API (
services/api/) - DecisionBox Agent (
services/agent/) - DecisionBox Dashboard (
ui/dashboard/) - Helm charts (
helm-charts/) - Docker images (
ghcr.io/decisionbox-io/*) - Secret providers (
providers/secrets/)
The following are out of scope:
- Third-party dependencies (report to the upstream project)
- Self-hosted instances with custom modifications
- Social engineering
- Always set
SECRET_ENCRYPTION_KEYfor encrypting stored secrets (AES-256) - Use external secret providers (GCP Secret Manager, AWS Secrets Manager) in production
- Run containers as non-root (Dockerfiles already configure this)
- Use network policies to restrict API access (API should not be publicly exposed -- only the dashboard)
- Keep images updated to the latest version
- Enable Kubernetes RBAC with least-privilege service accounts