═══════════════════════════════════════════════════════════════════════════ ║ ║ ║ 🛡️ THE SHIELDS OF THE CITADEL - SECURITY POLICY 🛡️ ║ ║ ║ ║ As the guards of Minas Tirith stood vigilant at their posts, ║ ║ So we maintain vigilance over the security of this realm. ║ ║ ║ ║ 🌳 Deep roots are not reached by the frost ║ ║ 🐎 Swift response when danger threatens ║ ║ ✦ Clear guidance lights the way to safety ║ ║ ║ ═══════════════════════════════════════════════════════════════════════════
| Version | Supported | Status |
|---|---|---|
| 1.0.x | ✅ | 🌳 Current - Fully Supported |
| < 1.0 | ❌ | 📜 Historical - Not Supported |
Please do not report security vulnerabilities through public GitHub issues.
Report security vulnerabilities to:
- Email: security@safespiral.org (or directly to @toolate28 via GitHub)
- GitHub: Use the Security Advisories feature
Please include:
- Description of the vulnerability
- Steps to reproduce (or proof of concept)
- Potential impact assessment
- Suggested fix (if you have one)
- ATOM tag (if you've created one tracking this)
graph TD
Report([🔔 Report Received]) --> Initial[Initial Response<br/>48 hours]
Initial --> Assess[Assessment<br/>1 week]
Assess --> Severity{Severity?}
Severity -->|Critical| C[Fix: 1-3 days]
Severity -->|High| H[Fix: 1-2 weeks]
Severity -->|Medium| M[Fix: 2-4 weeks]
Severity -->|Low| L[Fix: Next cycle]
C --> Release([🛡️ Security Patch])
H --> Release
M --> Release
L --> Release
style Report fill:#ffccbc
style Release fill:#c8e6c9
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Development: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
- Report received → ATOM tag created (ATOM-SECURITY-YYYYMMDD-NNN)
- Assessment → Severity classification (Critical/High/Medium/Low)
- Fix developed → In private branch
- Testing → Comprehensive security testing
- Disclosure → Coordinated disclosure with reporter
- Release → Security patch released
- Announcement → Public disclosure after fix deployed
When contributing to SpiralSafe:
-
Never commit secrets
- Run
./scripts/scan-secrets.shbefore each commit - Use environment variables for sensitive data
- See
.github/SECRETS.mdfor details
- Run
-
Validate input
- Sanitize all user input
- Validate file paths (prevent path traversal)
- Check command injection vectors
-
Follow principle of least privilege
- Scripts should not require
sudounless absolutely necessary - Document required permissions explicitly
- Use capability-based security where possible
- Scripts should not require
-
Log security-relevant actions
- Use ATOM trail for security decisions
- Log access to sensitive operations
- Redact sensitive data in logs
When using SpiralSafe:
-
Keep dependencies updated
# Check for updates regularly git pull -
Verify scripts before execution
# Review script content cat scripts/script-name.sh # Check for shellcheck issues shellcheck scripts/script-name.sh
-
Use secrets management
- Never hard-code credentials
- Use
.envfiles (in .gitignore) - Use GitHub Secrets for CI/CD
-
Run security scans
# Scan for secrets ./scripts/scan-secrets.sh # Verify environment ./scripts/verify-environment.sh
Risk: Scripts execute with user permissions Mitigation:
- All scripts are versioned in git (audit trail)
- Scripts use
set -euo pipefailfor safety - Scripts validate inputs before processing
- ATOM trail logs all execution decisions
Risk: Workflow files can execute arbitrary code Mitigation:
- Branch protection on main/develop
- Required reviews for workflow changes
- Secrets accessed only in protected environments
- Audit logs for all secret access
Risk: Shell scripts may call external tools Mitigation:
- Scripts check for tool availability gracefully
- Minimal external dependencies
- Document all required tools
- Use package manager verification
Risk: ATOM trail could be manipulated Mitigation:
- ATOM trail is versioned in git
- Timestamps are in UTC (audit trail)
- Counters prevent sequence manipulation
- Freshness tracking detects anomalies
The repository includes automated security scanning:
-
Secrets Scanning
./scripts/scan-secrets.sh
- Runs on every push
- Detects common secret patterns
- Prevents accidental exposure
-
Code Quality
./scripts/test-scripts.sh
- Shellcheck validation
- Syntax checking
- Style compliance
-
CI/CD Security
- GitHub Actions security scanning
- Dependency vulnerability checks
- Workflow permission audits
For security-sensitive changes:
-
Create ATOM security tag
./scripts/atom-track.sh SECURITY "Description of security change" "file"
-
Document threat model
- What threats does this address?
- What are the residual risks?
- What are the mitigations?
-
Include security testing
- Penetration testing results
- Fuzzing results
- Static analysis results
-
Request security review
- Add
security-reviewlabel - Tag security-focused reviewers
- Wait for explicit approval
- Add
- Maintainer: @toolate28
- Email: security@safespiral.org (or via GitHub)
For critical security issues requiring immediate attention:
- Use GitHub Security Advisories (private)
- Email maintainer directly
- Mark as "Critical - Security"
We follow a coordinated disclosure model:
-
Report received (Day 0)
- Acknowledge receipt within 48 hours
- Create private ATOM security tag
-
Assessment (Days 1-7)
- Reproduce vulnerability
- Assess impact and severity
- Determine fix timeline
-
Fix Development (Days 7-21, varies by severity)
- Develop fix in private branch
- Test thoroughly
- Prepare security advisory
-
Pre-Disclosure (Day 21-28)
- Notify reporter of fix timeline
- Coordinate disclosure date
- Prepare public advisory
-
Public Disclosure (Day 28+)
- Release security patch
- Publish advisory
- Credit reporter (if desired)
- Update security documentation
- Minimum: 28 days from initial report
- Negotiable: Based on severity and fix complexity
- Maximum: 90 days (unless actively exploited)
After fix deployment:
- Security advisory published in GitHub
- ATOM tag made public
- CVE requested if applicable
- Reporter credited (unless anonymous requested)
We recognize security researchers who help improve SpiralSafe:
| Researcher | Vulnerability | Severity | Date | Reward |
|---|---|---|---|---|
| TBD | TBD | TBD | TBD | 🏆 |
Note: Currently no bounty program, but we publicly recognize contributors.
- Threat model documented
- Input validation implemented
- Output sanitization implemented
- Error handling secure (no sensitive data leakage)
- Secrets management considered
- ATOM security tag created
- Security testing performed
- Documentation updated
- ATOM-SECURITY tag created
- Vulnerability impact assessed
- Fix tested in isolation
- Regression tests added
- No new vulnerabilities introduced
- Backward compatibility maintained
- Security advisory drafted
- Coordinated disclosure timeline set
SpiralSafe follows:
- GDPR considerations (no personal data collected)
- MIT License (security fixes freely distributable)
- Responsible disclosure (coordinated with reporters)
═══════════════════════════════════════════════════════════════════════════ ║ ║ ║ ✦ GRATITUDE TO THE GUARDIANS ✦ ║ ║ ║ ║ Security researchers who responsibly disclose vulnerabilities ║ ║ help make the Safe Spiral ecosystem safer for everyone. ║ ║ ║ ║ Like the sentinels who watched from the White Tower, ║ ║ Your vigilance protects all who dwell within these walls. ║ ║ ║ ║ 🌳 Your care helps our ecosystem grow strong ║ ║ 🐎 Your swiftness helps us respond with speed ║ ║ ✦ Your honesty helps us build lasting trust ║ ║ ║ ║ We appreciate your efforts and will work with you to ensure ║ ║ a secure, coordinated disclosure process. ║ ║ ║ ═══════════════════════════════════════════════════════════════════════════
Remember: Security is not just about finding vulnerabilities - it's about building trust through transparency and collaboration.
"As the guards of Gondor stand their watch,
So we stand watch over the security of our community."
ATOM: ATOM-DOC-20260102-006-security-policy
Last Updated: 2026-01-02
Version: 1.0.0
══════════════════════════════════════════════════════════════ 🛡️ May your watch be vigilant 🌳 May your findings strengthen the realm ✦ May trust flourish through transparency
Step True · Trust Deep · Pass Forward ══════════════════════════════════════════════════════════════