161ef94b4f
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge API Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge UI Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Has been cancelled
Sirius CI/CD Pipeline / Integration Test (push) Has been cancelled
Sirius CI/CD Pipeline / Public Stack Contract (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Has been cancelled
2.0 KiB
2.0 KiB
Security Policy
Sirius Scan is a security platform. We treat vulnerability handling as a first-class engineering workflow.
Supported Versions
We currently provide security fixes for:
mainbranch- Latest production release tag (for example,
v1.x)
Older releases may not receive security patches.
Reporting a Vulnerability
Do not open public issues for suspected vulnerabilities.
Use one of the private channels below:
- GitHub Security Advisories: https://github.com/SiriusScan/Sirius/security/advisories/new
- Email:
security@opensecurity.com
If possible, include:
- Affected component(s) and version/tag
- Reproduction steps or proof of concept
- Expected impact and attack preconditions
- Suggested mitigation (if known)
- Contact information for follow-up
Response Targets
We aim to meet the following timelines:
- Initial acknowledgment: within 24 hours
- Triage decision: within 72 hours
- Mitigation plan: within 7 calendar days for confirmed issues
- Public advisory: after a fix is available and coordinated
Complex vulnerabilities may require longer remediation windows. We will keep reporters informed of status.
Disclosure Process
- Report received and acknowledged privately
- Internal triage and severity classification
- Fix is prepared and validated
- Coordinated release and advisory publication
- Credit is given to reporter (if desired)
Scope
This policy covers vulnerabilities in:
Siriusprimary repository- Official Sirius Scan release artifacts
- Related services maintained under the SiriusScan organization where applicable
Third-party dependencies should also be reported upstream when required.
Safe Harbor
We support good-faith security research. We ask researchers to:
- Avoid service disruption or destructive testing
- Avoid accessing or modifying data that is not your own
- Report findings privately and allow coordinated remediation
We will not pursue action against research that follows this policy and applicable law.