We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
You can report security vulnerabilities through:
-
GitHub Security Advisory (Preferred)
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- This allows private discussion until a fix is ready
-
Email
- Send details to: security@lerian.studio
- PGP key available for encrypted communications
- We recommend Mailvelope for email encryption
Please do NOT disclose the vulnerability publicly until we have addressed it.
| Action | Timeframe |
|---|---|
| Acknowledgment | Within 24 hours |
| Initial assessment | Within 72 hours |
| Status update | Within 7 days |
| Resolution target | Within 90 days (severity dependent) |
- Initial Contact: You submit vulnerability via GitHub Advisory or email
- Acknowledgment: We confirm receipt within 24 hours
- Verification: Our security team verifies the vulnerability
- Assessment: We determine severity and potential impact
- Resolution: We develop and deploy a fix
- Notification: We inform you of the resolution
- Public Disclosure: We coordinate with you to disclose responsibly
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Security fixes only |
| Older versions | No |
We recommend always running the latest version.
- Authentication and authorization vulnerabilities
- Data exposure or leakage
- Injection vulnerabilities (SQL, command, etc.)
- Cryptographic issues
- Business logic flaws
- Denial of service (DoS) attacks
- Social engineering
- Physical security
- Issues in dependencies (report to upstream)
When deploying this application:
- Never hardcode secrets - Use environment variables or secrets management (e.g., HashiCorp Vault)
- Keep updated - Regularly update to the latest version
- Secure configuration - Follow our documentation for secure setup
- Network security - Use TLS, firewalls, and network segmentation
- Access control - Apply principle of least privilege
For local development, use the .env file (copied from .env.example). This file is gitignored and should never be committed.
Use an external secrets manager to inject secrets at runtime:
| Solution | Use Case | Documentation |
|---|---|---|
| HashiCorp Vault | Self-hosted, multi-cloud | https://www.vaultproject.io/ |
| AWS Secrets Manager | AWS-native workloads | https://aws.amazon.com/secrets-manager/ |
| Azure Key Vault | Azure-native workloads | https://azure.microsoft.com/services/key-vault/ |
| GCP Secret Manager | GCP-native workloads | https://cloud.google.com/secret-manager |
| External Secrets Operator | Kubernetes (any cloud) | https://external-secrets.io/ |
For Kubernetes deployments, we recommend using External Secrets Operator to sync secrets from your cloud provider's secret manager:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tracer-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend # or aws-secretsmanager, azure-keyvault, etc.
kind: ClusterSecretStore
target:
name: tracer-secrets
data:
- secretKey: API_KEY
remoteRef:
key: tracer/production
property: api_key
- secretKey: DB_PASSWORD
remoteRef:
key: tracer/production
property: db_passwordBefore deploying to production, verify:
- No secrets in source code or git history
-
.envfile is in.gitignore -
API_KEYis at least 32 characters and randomly generated -
DB_PASSWORDis strong and unique - Secrets are rotated regularly (recommended: 90 days)
- Access to secrets is audited and logged
We appreciate security researchers who help keep our project secure. With your permission, we'll acknowledge your contribution in our release notes.
- Security Email: security@lerian.studio
- General Issues: Use GitHub Issues for non-security bugs
- Discussions: GitHub Discussions