| title | description | layout | sidebar |
|---|---|---|---|
Security Policy |
Security vulnerability reporting and policies for Vulcan |
doc |
true |
The MITRE SAF team takes security seriously. If you discover a security vulnerability in Vulcan, please report it responsibly.
- Email: [email protected]
- GitHub: Use the Security tab to report vulnerabilities privately
When reporting security issues, please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Timeline: Varies by severity
- Keep Updated: Use the latest version of Vulcan
- Secure Credentials: Never commit passwords or SSH keys to version control
- Use OIDC/LDAP: Prefer enterprise authentication over local accounts
- Network Security: Use HTTPS and secure networks when accessing Vulcan
- Dependency Scanning: Run
bundle auditbefore submitting PRs - Credential Handling: Never log or expose credentials in code
- Input Validation: Sanitize all user inputs
- Test Security: Include security tests for new features
| Version | Supported |
|---|---|
| 2.2.x | ✅ Yes |
| 2.1.x | ✅ Yes |
| < 2.1 | ❌ No |
Vulcan includes comprehensive security testing:
# Run full test suite
bundle exec rspec
# Check for vulnerable dependencies
bundle exec bundle-audit check
# Scan for potential security issues
bundle exec brakeman- Vulcan supports multiple authentication methods (OIDC, LDAP, local)
- Use enterprise authentication (OIDC/LDAP) in production
- Enforce strong password policies for local accounts
- Sensitive data is encrypted using symmetric encryption
- Database credentials should be properly secured
- Use SSL/TLS for all external connections
- Docker images run as non-root user
- Keep base images updated
- Scan images for vulnerabilities regularly