Files
wehub-resource-sync e0e362d700
SDK Tests / changes (push) Waiting to run
SDK Tests / Python SDK Tests (sandbox) (push) Blocked by required conditions
SDK Tests / CLI Quality (push) Blocked by required conditions
SDK Tests / CLI Tests (push) Blocked by required conditions
SDK Tests / Python SDK Quality (code-interpreter) (push) Blocked by required conditions
SDK Tests / Python SDK Quality (sandbox) (push) Blocked by required conditions
SDK Tests / Python SDK Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Blocked by required conditions
Deploy Docs Pages / build (push) Waiting to run
Deploy Docs Pages / deploy (push) Blocked by required conditions
Real E2E Tests / changes (push) Waiting to run
Real E2E Tests / Python E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Java E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / JavaScript E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / C# E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Go E2E (docker bridge) (push) Blocked by required conditions
Real E2E Tests / Real E2E CI (push) Blocked by required conditions
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Blocked by required conditions
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Blocked by required conditions
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Blocked by required conditions
SDK Tests / Go SDK Quality And Tests (push) Blocked by required conditions
SDK Tests / SDK CI (push) Blocked by required conditions
chore: import upstream snapshot with attribution
2026-07-13 13:39:33 +08:00

2.2 KiB

Security Policy

Reporting Security Issues

The OpenSandbox team takes security seriously. If you discover a security vulnerability, please report it responsibly.

How to Report

Do not report vulnerabilities in a public issue or to the Code of Conduct reporting address. The conduct@opensandbox.io address is only for community conduct reports.

What to Include

  • Clear description of the vulnerability
  • Steps to reproduce
  • Potential impact and scope
  • Suggested remediation (if available)

Response Process

  1. Acknowledgment within 48 hours
  2. Investigation and validation
  3. Fix development and testing
  4. Coordinated disclosure

Supported Versions

Only the latest release and main branch are actively supported with security updates.

Release Signatures

OpenSandbox signs public release outputs with GitHub/Sigstore attestations, cosign keyless container signatures, and Maven Central package signatures where applicable. See Release Verification for the trusted signer identities and verification commands.

Security Best Practices

When deploying OpenSandbox:

  • Keep dependencies up to date
  • Use network policies to restrict sandbox egress
  • Monitor audit logs regularly
  • Follow principle of least privilege

Cryptographic Key Length Policy

OpenSandbox TLS defaults are aligned with OpenSSF crypto_keylength guidance (NIST minimum strength through year 2030, as stated in 2012):

  • symmetric key: at least 112 bits
  • factoring modulus (RSA): at least 2048 bits
  • discrete logarithm key: at least 224 bits
  • discrete logarithm group: at least 2048 bits
  • elliptic curve key: at least 224 bits
  • hash algorithm strength: at least 224 bits

Project-owned enforcement points include:

  • Go SDK default transport certificate validation
  • Kubernetes controller validation for configured webhook/metrics TLS certificates

For controlled interoperability scenarios, legacy weaker key lengths can be explicitly enabled:

  • Go SDK: set TransportConfig.AllowWeakServerCertKeyLengths=true
  • Kubernetes controller: set --allow-weak-tls-keylengths=true