Files
siriusscan--sirius/SECURITY.md
T
wehub-resource-sync 161ef94b4f
Check engine pin consistency / Dockerfile / CI pin consistency (push) Successful in 8s
Sirius CI/CD Pipeline / Detect Changes (push) Successful in 23s
Validate Docker Configuration / Validate Docker Compose Configuration (push) Successful in 47s
Sirius CI/CD Pipeline / Build API (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build UI (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Engine Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge API Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Merge UI Manifest (push) Has been cancelled
Sirius CI/CD Pipeline / Build Engine (${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Build Infra (${{ matrix.service }}, ${{ matrix.platform }}) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-postgres) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-rabbitmq) (push) Has been cancelled
Sirius CI/CD Pipeline / Merge Infra Manifest (sirius-valkey) (push) Has been cancelled
Sirius CI/CD Pipeline / Integration Test (push) Has been cancelled
Sirius CI/CD Pipeline / Public Stack Contract (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Deployment (sirius-demo branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Dispatch Demo Canary (main branch) (push) Has been cancelled
Sirius CI/CD Pipeline / Guard Registry Namespace (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:32:25 +08:00

2.0 KiB

Security Policy

Sirius Scan is a security platform. We treat vulnerability handling as a first-class engineering workflow.

Supported Versions

We currently provide security fixes for:

  • main branch
  • Latest production release tag (for example, v1.x)

Older releases may not receive security patches.

Reporting a Vulnerability

Do not open public issues for suspected vulnerabilities.

Use one of the private channels below:

If possible, include:

  1. Affected component(s) and version/tag
  2. Reproduction steps or proof of concept
  3. Expected impact and attack preconditions
  4. Suggested mitigation (if known)
  5. Contact information for follow-up

Response Targets

We aim to meet the following timelines:

  • Initial acknowledgment: within 24 hours
  • Triage decision: within 72 hours
  • Mitigation plan: within 7 calendar days for confirmed issues
  • Public advisory: after a fix is available and coordinated

Complex vulnerabilities may require longer remediation windows. We will keep reporters informed of status.

Disclosure Process

  1. Report received and acknowledged privately
  2. Internal triage and severity classification
  3. Fix is prepared and validated
  4. Coordinated release and advisory publication
  5. Credit is given to reporter (if desired)

Scope

This policy covers vulnerabilities in:

  • Sirius primary repository
  • Official Sirius Scan release artifacts
  • Related services maintained under the SiriusScan organization where applicable

Third-party dependencies should also be reported upstream when required.

Safe Harbor

We support good-faith security research. We ask researchers to:

  • Avoid service disruption or destructive testing
  • Avoid accessing or modifying data that is not your own
  • Report findings privately and allow coordinated remediation

We will not pursue action against research that follows this policy and applicable law.