Security Policy

Security Policy

This page summarizes the project's security policy. For the full policy, see SECURITY.md in the main repository.

---

Supported Versions

Version	Supported	Notes
2.0.x	✅ Yes	Current stable release
1.1.x	⚠️ Limited	Security fixes only until 2026-09-30
1.0.x	❌ No	End of life

Reporting Vulnerabilities

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities through GitHub Security Advisories:

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Provide detailed information

Expected Response: 48-72 hours for initial acknowledgment.

Security Considerations

What the Tool Does

• ✅ Reads system configuration files and /proc filesystem
• ✅ Executes read-only system commands with intelligent caching
• ✅ Generates local report files in reports/ directory
• ✅ Writes structured logs to logs/ directory
• ✅ Computes compliance scores against configurable thresholds

What the Tool Does NOT Do

• ❌ Transmit data externally (fully offline)
• ❌ Install software or external packages
• ❌ Create network connections
• ❌ Modify system configuration (unless remediation flags are explicitly used)
• ❌ Access user personal data or files
• ❌ Store credentials or sensitive authentication data

Report Security

• Reports contain sensitive system configuration information
• Report files are created with 600 permissions
• Log files are created with 644 permissions
• Store reports securely with appropriate access controls
• Sanitize reports before sharing externally

---

See SECURITY.md for the complete security policy.

Home