d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dea584aa2cbee0f382a03ec9f6d2daf3aa8ddd59
the_order/docs/governance/policies/security.md
defiQUG 6a8582e54d feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone 
- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization
2025-11-13 09:32:55 -08:00

106 lines
2.9 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
We currently support the following versions with security updates:
| Version | Supported |
| ------- | ------------------ |
| 1.0.x | :white_check_mark: |
| < 1.0 | :x: |
## Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
1. **Do NOT** open a public GitHub issue
2. Email security details to: security@the-order.org (or your security contact)
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
### Response Timeline
- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Fix Timeline**: Depends on severity (see below)
### Severity Levels
- **Critical**: Remote code execution, authentication bypass, data breach
- Fix timeline: 24-48 hours
- **High**: Privilege escalation, sensitive data exposure
- Fix timeline: 7 days
- **Medium**: Information disclosure, denial of service
- Fix timeline: 30 days
- **Low**: Best practices, defense in depth
- Fix timeline: Next release cycle
## Security Practices
### Secrets Management
- All secrets must be encrypted using SOPS
- Never commit plaintext secrets
- Use environment variables for configuration
- Rotate secrets regularly
- Use short-lived tokens via OIDC
### Code Security
- All code must pass security linting (ESLint security plugins)
- Dependencies are scanned for vulnerabilities (Grype)
- Container images are signed (Cosign)
- SBOM generation for all artifacts (Syft)
### Infrastructure Security
- Immutable infrastructure via Terraform
- Secrets stored in KMS/HSM
- Network policies enforced via Kubernetes
- API gateway with WAF rules
- Regular security audits and penetration testing
### Access Control
- Least privilege principle
- Quarterly access reviews
- MFA required for all production access
- Audit logs for all sensitive operations
### Compliance
- eIDAS compliance for identity services
- Data retention policies per jurisdiction
- WORM storage for legal documents
- Audit trails for all financial transactions
## Security Updates
Security updates are released as:
- **Hotfixes**: For critical vulnerabilities
- **Patch releases**: For high/medium severity issues
- **Regular releases**: For low severity and general improvements
## Disclosure Policy
- Vulnerabilities are disclosed after a fix is available
- Coordinated disclosure with responsible parties
- CVE assignment for eligible vulnerabilities
- Security advisories published in `docs/governance/security-advisories/`
## Contact
- **Security Email**: security@the-order.org
- **PGP Key**: [Link to public key]
- **Security Team**: @the-order/security-team
## Additional Resources
- [Threat Models](docs/architecture/threat-models/)
- [Incident Response Runbook](docs/governance/runbooks/incident-response.md)
- [Security Checklist](docs/governance/security-checklist.md)
Reference in New Issue View Git Blame Copy Permalink