e0e362d700
SDK Tests / changes (push) Successful in 2m29s
Real E2E Tests / changes (push) Successful in 2m29s
Deploy Docs Pages / build (push) Has been cancelled
Deploy Docs Pages / deploy (push) Has been cancelled
Real E2E Tests / JavaScript E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Python E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Java E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / C# E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Go E2E (docker bridge) (push) Has been cancelled
Real E2E Tests / Real E2E CI (push) Has been cancelled
SDK Tests / SDK CI (push) Has been cancelled
SDK Tests / CLI Tests (push) Has been cancelled
SDK Tests / Python SDK Quality (code-interpreter) (push) Has been cancelled
SDK Tests / Python SDK Quality (sandbox) (push) Has been cancelled
SDK Tests / Python SDK Tests (code-interpreter) (push) Has been cancelled
SDK Tests / JavaScript SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / JavaScript SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Python SDK Tests (sandbox) (push) Has been cancelled
SDK Tests / CLI Quality (push) Has been cancelled
SDK Tests / Kotlin SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Kotlin SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / C# SDK Quality And Tests (code-interpreter) (push) Has been cancelled
SDK Tests / C# SDK Quality And Tests (sandbox) (push) Has been cancelled
SDK Tests / Go SDK Quality And Tests (push) Has been cancelled
70 lines
2.2 KiB
Markdown
70 lines
2.2 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting Security Issues
|
|
|
|
The OpenSandbox team takes security seriously. If you discover a security vulnerability, please report it responsibly.
|
|
|
|
### How to Report
|
|
|
|
- **GitHub Private Vulnerability Reporting**: Open a
|
|
[private security advisory](https://github.com/opensandbox-group/OpenSandbox/security/advisories/new)
|
|
|
|
Do not report vulnerabilities in a public issue or to the Code of Conduct
|
|
reporting address. The `conduct@opensandbox.io` address is only for community
|
|
conduct reports.
|
|
|
|
### What to Include
|
|
|
|
- Clear description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact and scope
|
|
- Suggested remediation (if available)
|
|
|
|
## Response Process
|
|
|
|
1. Acknowledgment within 48 hours
|
|
2. Investigation and validation
|
|
3. Fix development and testing
|
|
4. Coordinated disclosure
|
|
|
|
## Supported Versions
|
|
|
|
Only the latest release and main branch are actively supported with security updates.
|
|
|
|
## Release Signatures
|
|
|
|
OpenSandbox signs public release outputs with GitHub/Sigstore attestations,
|
|
cosign keyless container signatures, and Maven Central package signatures where
|
|
applicable. See [Release Verification](docs/community/release-verification.md) for the
|
|
trusted signer identities and verification commands.
|
|
|
|
## Security Best Practices
|
|
|
|
When deploying OpenSandbox:
|
|
- Keep dependencies up to date
|
|
- Use network policies to restrict sandbox egress
|
|
- Monitor audit logs regularly
|
|
- Follow principle of least privilege
|
|
|
|
## Cryptographic Key Length Policy
|
|
|
|
OpenSandbox TLS defaults are aligned with OpenSSF `crypto_keylength` guidance
|
|
(NIST minimum strength through year 2030, as stated in 2012):
|
|
|
|
- symmetric key: at least 112 bits
|
|
- factoring modulus (RSA): at least 2048 bits
|
|
- discrete logarithm key: at least 224 bits
|
|
- discrete logarithm group: at least 2048 bits
|
|
- elliptic curve key: at least 224 bits
|
|
- hash algorithm strength: at least 224 bits
|
|
|
|
Project-owned enforcement points include:
|
|
|
|
- Go SDK default transport certificate validation
|
|
- Kubernetes controller validation for configured webhook/metrics TLS certificates
|
|
|
|
For controlled interoperability scenarios, legacy weaker key lengths can be explicitly enabled:
|
|
|
|
- Go SDK: set `TransportConfig.AllowWeakServerCertKeyLengths=true`
|
|
- Kubernetes controller: set `--allow-weak-tls-keylengths=true`
|