Files
wehub-resource-sync e0e362d700
SDK Tests / changes (push) Successful in 2m29s
Real E2E Tests / changes (push) Successful in 2m29s
Deploy Docs Pages / build (push) Has been cancelled
Deploy Docs Pages / deploy (push) Has been cancelled
Real E2E Tests / JavaScript E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Python E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Java E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / C# E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Go E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Real E2E CI (push) Has been cancelled
SDK Tests / SDK CI (push) Has been cancelled
SDK Tests / CLI Tests (push) Has been cancelled
SDK Tests / Python SDK Quality (code-interpreter) (push) Has been cancelled
SDK Tests / Python SDK Quality (sandbox) (push) Has been cancelled
SDK Tests / Python SDK Tests (code-interpreter) (push) Has been cancelled
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Python SDK Tests (sandbox) (push) Has been cancelled
SDK Tests / CLI Quality (push) Has been cancelled
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Go SDK Quality And Tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:39:33 +08:00

70 lines
2.2 KiB
Markdown

# Security Policy
## Reporting Security Issues
The OpenSandbox team takes security seriously. If you discover a security vulnerability, please report it responsibly.
### How to Report
- **GitHub Private Vulnerability Reporting**: Open a
[private security advisory](https://github.com/opensandbox-group/OpenSandbox/security/advisories/new)
Do not report vulnerabilities in a public issue or to the Code of Conduct
reporting address. The `conduct@opensandbox.io` address is only for community
conduct reports.
### What to Include
- Clear description of the vulnerability
- Steps to reproduce
- Potential impact and scope
- Suggested remediation (if available)
## Response Process
1. Acknowledgment within 48 hours
2. Investigation and validation
3. Fix development and testing
4. Coordinated disclosure
## Supported Versions
Only the latest release and main branch are actively supported with security updates.
## Release Signatures
OpenSandbox signs public release outputs with GitHub/Sigstore attestations,
cosign keyless container signatures, and Maven Central package signatures where
applicable. See [Release Verification](docs/community/release-verification.md) for the
trusted signer identities and verification commands.
## Security Best Practices
When deploying OpenSandbox:
- Keep dependencies up to date
- Use network policies to restrict sandbox egress
- Monitor audit logs regularly
- Follow principle of least privilege
## Cryptographic Key Length Policy
OpenSandbox TLS defaults are aligned with OpenSSF `crypto_keylength` guidance
(NIST minimum strength through year 2030, as stated in 2012):
- symmetric key: at least 112 bits
- factoring modulus (RSA): at least 2048 bits
- discrete logarithm key: at least 224 bits
- discrete logarithm group: at least 2048 bits
- elliptic curve key: at least 224 bits
- hash algorithm strength: at least 224 bits
Project-owned enforcement points include:
- Go SDK default transport certificate validation
- Kubernetes controller validation for configured webhook/metrics TLS certificates
For controlled interoperability scenarios, legacy weaker key lengths can be explicitly enabled:
- Go SDK: set `TransportConfig.AllowWeakServerCertKeyLengths=true`
- Kubernetes controller: set `--allow-weak-tls-keylengths=true`