AiSOC is security software, so we take vulnerabilities in our own stack seriously. This document explains how to report issues responsibly and what to expect from us.
| Version | Status |
|---|---|
main |
Active development. Security fixes land here first. |
| Latest tagged release | Receives critical fixes for 90 days after release. |
| Older tagged releases | Best-effort only. We strongly recommend upgrading. |
Please do not open a public GitHub issue or PR for security problems.
Use GitHub's private vulnerability reporting to send us a report directly. Include as much detail as possible:
- A clear description of the issue and its impact
- Steps to reproduce, ideally a minimal proof of concept
- Affected version, commit SHA, or container digest
- Your name / handle if you'd like to be credited
If GitHub's reporting flow is not workable for your situation, you can instead reach the maintainers through the SECURITY contact in the repository profile. Please request our PGP key in your first message and we'll respond out-of-band before you send sensitive details (payloads, tokens, customer data).
| Window | What we do |
|---|---|
| Within 48 hours | Acknowledge receipt and assign a primary contact. |
| Within 7 days | Provide an initial triage: severity, scope, mitigation status. |
| Within 30 days | Ship a fix, advisory, or a clear timeline if more work is required. |
| On disclosure | Coordinate a public advisory and credit the reporter (if desired). |
We follow coordinated disclosure and assign CVSS v3.1 scores in our advisories.
In scope:
- Source in this repository (services, web, infra, integrations, packages)
- Official Docker images published from this repository
- Default Helm chart and Terraform modules in
infra/
Out of scope:
- Third-party services that AiSOC integrates with (CrowdStrike, Splunk, AWS, etc.)
- Self-hosted deployments that have been customized
- Issues requiring physical access to a host
If you operate AiSOC, please review:
docs/runbooks/HARDENING.mdfor production hardening stepsinfra/helm/aisoc/values.yamlfor the security-related defaultsservices/api/app/core/security.pyandservices/api/app/auth/for our auth, RBAC, and SSO primitivesservices/api/app/middleware/for rate limiting, audit logging, and request hardening
AiSOC is an open-source project and does not currently operate a paid bounty program. We deeply appreciate responsible reports and will credit researchers in advisories and the hall of fame.
We publicly thank researchers who report valid issues. Once a fix has shipped, we credit reporters (with their consent) in the corresponding GitHub Security Advisory and the relevant CHANGELOG.md entry.