We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT open a public GitHub issue
- Email security details to: rokartifactstorage@redhat.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 7 days
- We will keep you informed of progress
- We will coordinate disclosure after a fix is available
We follow responsible disclosure practices:
- We will work with you to understand and resolve the issue
- We will credit you in security advisories (unless you prefer otherwise)
- We will not take legal action against security researchers acting in good faith
- Never commit credentials or API keys to the repository
- Use environment variables or secure config files for sensitive data
- Rotate credentials regularly
- Use OAuth2 tokens with appropriate scopes
- Keep dependencies up-to-date
- Review security advisories for dependencies
- Use
pip auditor similar tools to check for vulnerabilities
- Use secure file permissions for config files (600 for keys)
- Validate all user input
- Use HTTPS for all API communications
- Verify SSL certificates
- Follow secure coding practices
- Validate and sanitize all inputs
- Use parameterized queries/requests
- Avoid exposing sensitive information in logs
Security updates will be:
- Released as patch versions (e.g., 1.0.1)
- Documented in CHANGELOG.md
- Tagged with security labels in GitHub
- Announced via GitHub security advisories
- Tokens are stored in memory only
- Tokens are refreshed proactively to avoid expiration
- No tokens are logged or persisted
- Client certificates are loaded from files
- Certificate paths are validated
- SSL verification is enabled by default
- File paths are validated before operations
- File permissions are checked
- Large files are handled with streaming