DO NOT open a public issue for security vulnerabilities.
Please report security issues via:
- Email: security@scorching-aiops.dev
- GitVerse: Private message to @necrustulum
Include: description, reproduction steps, impact assessment, suggested fix (if any).
- Acknowledgment: within 48 hours
- Assessment: within 7 days
- Fix release: within 30 days for critical issues
| Version | Supported |
|---|---|
| latest (main) | ✅ |
| development branches |
Scorching AIOps implements defense-in-depth:
- RBAC: remediation-controller runs with minimal Service Account privileges
- NetworkPolicy: inter-namespace communication restricted
- Governance Agent: GDPR/SOC2 compliance checks before any autonomous remediation
- eBPF (Tetragon): kernel-level security monitoring (process exec, network, file access)
- Audit Trail: all remediation actions logged to ClickHouse
- Semi-Autonomous Mode: operator approval required before apply (configurable)
- Default deployment uses self-signed certificates
- Neo4j password is stored in Kubernetes Secrets (not encrypted at rest by default)
- Ollama API has no authentication (cluster-internal only)
НЕ создавайте публичный issue для уязвимостей безопасности.
Сообщайте через email или личное сообщение мейнтейнеру. Ответ — в течение 48 часов.