Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in Armor, please report it responsibly:

1. Go to the GitHub Security Advisory page
2. Click "Report a vulnerability"
3. Fill out the advisory form with detailed information
4. Submit the advisory

Please provide as much information as possible:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Affected versions (if known)
• Suggested fix (if you have one)
• Your contact information for follow-up questions

Due to limited development resources, please understand that:

• Initial Response: We aim to acknowledge receipt within 48-72 hours
• Assessment: Initial assessment will be completed within 1 week
• Resolution: Timeline depends on severity and complexity, typically 1-4 weeks
• Disclosure: Coordinated disclosure after fix is available

• Critical: Immediate attention (RCE, privilege escalation)
• High: Quick response needed (authentication bypass, data exposure)
• Medium: Standard timeline (DoS, information disclosure)
• Low: Lower priority (minor information leaks)

Given that Armor API manages system-level operations on OmniOS, please pay special attention to:

• API Key Authentication: Bypasses or privilege escalation
• File System Operations: Path traversal or unauthorized file access
• Command Execution: Any potential for command injection

• Default Configurations: Insecure defaults
• SSL/TLS Implementation: Certificate validation, cipher suites
• CORS Configuration: Origin validation bypasses
• Database Security: SQL injection, unauthorized access

To maintain security:

1. Keep Updated: Always run the latest stable version
2. Secure Configuration: Follow the security configuration guide
3. API Key Management: Rotate API keys regularly, use strong keys
4. Network Security: Use HTTPS, restrict network access appropriately
5. Monitor Logs: Watch for suspicious activity in application logs

Armor API includes several security features:

• API Key Authentication: Bcrypt-hashed keys with configurable rounds
• CORS Protection: Whitelist-based origin validation
• SSL/TLS Support: Configurable HTTPS with custom certificates
• Input Validation: Parameter validation and sanitization
• Audit Logging: API key usage tracking

We appreciate the security research community's efforts in making Armor API more secure. Responsible disclosure helps protect all users.

Contributors who responsibly report security vulnerabilities will be acknowledged here (with their permission):

• No vulnerabilities reported yet

This security policy may be updated as the project evolves. Check back periodically for changes.

Remember: Security is a shared responsibility. Your vigilance and responsible reporting help keep the entire Armor community safe.