We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- GitHub Security Advisories: Report a vulnerability
- Email: security@architect-platform.io (if available)
You should receive a response within 48 hours. If for some reason you do not, please follow up to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Any potential mitigations you've identified
- Security vulnerabilities are reviewed and validated by maintainers
- A fix is developed in a private repository
- A security advisory is drafted
- The fix is tested thoroughly
- A new version is released with the security patch
- The security advisory is published
- Users are notified through release notes and GitHub notifications
- Never commit sensitive data (credentials, tokens, keys)
- Use environment variables for secrets
- Sanitize all user inputs, especially in shell commands
- Follow secure coding guidelines
- Run security scanners on code changes
- Keep dependencies up to date
- Keep Architect Platform updated to the latest version
- Use strong authentication methods
- Regularly review access permissions
- Monitor logs for suspicious activity
- Use secure communication channels (HTTPS, SSH)
- Scan plugins from untrusted sources
The platform executes shell commands. Always:
- Sanitize inputs before passing to CommandExecutor
- Use parameterized commands when possible
- Validate file paths to prevent traversal attacks
- Run with least privilege necessary
Plugins have significant access to the system. Only use:
- Official plugins from architect-platform organization
- Plugins from trusted sources
- Plugins you've reviewed the source code for
- Store sensitive configuration outside of version control
- Use environment variables for secrets
- Restrict file permissions on configuration files
- Encrypt sensitive data at rest
We use automated tools to track and update dependencies:
- Renovate: Automatically creates PRs for dependency updates
- GitHub Dependabot: Security alerts for vulnerable dependencies
- CodeQL: Static analysis for security vulnerabilities
The project uses several security tools:
- CodeQL: Automated code scanning
- OWASP Dependency Check: Dependency vulnerability scanning
- Trivy: Container vulnerability scanning
- SonarQube: Code quality and security analysis (if available)
- Security issues are disclosed publicly after a fix is available
- Credit is given to researchers who report vulnerabilities responsibly
- We aim for full transparency while protecting users
For security inquiries: security@architect-platform.io (or create a private security advisory)
For general questions: Use GitHub Discussions
We appreciate the security research community and thank all researchers who help keep Architect Platform secure.
Last updated: 2024-11-02