| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to the repository maintainer
- Include a detailed description of the vulnerability
- Provide steps to reproduce if possible
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Resolution: Critical vulnerabilities will be addressed as priority
- Disclosure: We will coordinate disclosure timing with you
This security policy applies to:
- The
glassops-runtimeGitHub Action - Related configuration schemas and contracts
- CI/CD workflow templates
- Vulnerabilities in third-party dependencies (report these upstream)
- Issues in user-provided configuration files
- Theoretical vulnerabilities without proof of concept
When using GlassOps Runtime:
- Secrets Management: Always use GitHub Secrets for sensitive values (
jwt_key,client_id) - Least Privilege: Use dedicated Connected Apps with minimal permissions
- Audit Logs: Store deployment contracts for compliance audit trails
- Version Pinning: Pin to specific versions in production workflows
We appreciate researchers who practice responsible disclosure.