Skip to content

Security: laugiov/iam-zero-trust-reference

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it responsibly.

Do NOT:

  • Open a public GitHub issue for security vulnerabilities
  • Discuss vulnerabilities on social media or public forums
  • Contact via LinkedIn for security issues

Do:

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 7 days
  • Resolution target: Within 30 days for critical issues

Scope

This is a reference implementation for educational purposes. However, security issues in the patterns and controls demonstrated could affect adopters, so reports are taken seriously.

In scope:

  • Authentication/authorization bypasses
  • Injection vulnerabilities
  • Cryptographic weaknesses
  • Kubernetes security misconfigurations
  • CI/CD pipeline security issues

Out of scope:

  • Issues in dependencies (report upstream)
  • Denial of service (this is a demo project)
  • Social engineering

Recognition

Contributors who report valid security issues will be acknowledged in the project (unless they prefer anonymity).

There aren’t any published security advisories