Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email:

📧 security@faultray.com

Please include:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix & Disclosure: Within 30 days (coordinated disclosure)

FaultRay holds a small number of long-lived credentials (PyPI Trusted Publisher OIDC, GHCR tokens, Supabase service role, Stripe webhook secret). The rotation posture is:

Additional rules:

• No secret is committed to git. gitleaks.yml pre-commit + CI workflow enforces this.
• Every revocation is logged as a GitHub Security Advisory whenever credentials were possibly exposed.
• Rotation cadence enforcement is currently manual. An automated reminder (GitHub Issue auto-opened quarterly via a scheduled workflow) is tracked as a follow-up. Until then, maintainer self-audit at each release review is the fallback.

See docs/incident-response-runbook.md for the structured playbook covering:

• Production outage severity classification (SEV-1..3)
• Data-breach 72-hour GDPR notification window
• Stakeholder escalation matrix
• Post-incident review template

When using FaultRay in production:

• Always run behind a reverse proxy (nginx, Caddy)
• Enable authentication for the web dashboard
• Use API keys for programmatic access
• Keep FaultRay updated to the latest version
• Review the DORA compliance docs

Every published release ships three cryptographic signals:

1. CycloneDX SBOM — .cdx.json for Python dist + Docker image
2. SLSA v1 build provenance — attested via actions/attest-build-provenance
3. Sigstore cosign signature — keyless OIDC signing for Docker images

See docs/release-verification.md for step-by-step verification commands (gh attestation verify, cosign verify).

GitHubのIssuesで脆弱性を報告しないでください。

📧 security@faultray.com にメールで報告してください。

• 受領確認: 48時間以内
• 初期評価: 7日以内
• 修正・公開: 30日以内（協調的開示）