Skip to content

Security: kyaulabs/pulsar

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
main
develop
< 1.0

We provide security patches for the current main and develop branches. Older versions and unreleased branches are not supported.

Reporting a Vulnerability

Do not open a public issue. Report security vulnerabilities privately:

  • Email: git@kyaulabs.com
  • Subject: [SECURITY] pulsar - <brief description>

Include:

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Affected versions/components
  • Proof-of-concept or exploit code (if available)
  • Suggested remediation (if available)

Response SLA

Milestone Target
Acknowledgment 7 calendar days
Initial assessment 14 calendar days
Patch available 90 calendar days (or sooner)
Public disclosure After patch is available and users have had time to update

We will keep you informed of progress and coordinate disclosure timing.

Scope

The security policy covers:

  • Harness code: scripts, agents, skills, commands under .opencode/, scripts/, playbooks/, roles/
  • Secrets management: ansible-vault usage, .env handling, credential storage
  • SSH configuration: key management, cipher selection, access controls
  • Firewall rules: nftables/ufw/firewalld configurations generated or managed by the harness
  • CI/CD pipeline: GitHub Actions workflows, hooks, and automation

Out of Scope

  • Vulnerabilities in third-party dependencies (report to the upstream project)
  • Issues caused by misconfiguration by the operator (unless the harness enables unsafe defaults)
  • Social engineering or phishing attacks

Recognition

We maintain a Hall of Fame for security researchers who responsibly disclose valid vulnerabilities. With your permission, we will acknowledge your contribution in:

  • The security advisory
  • Release notes
  • SECURITY.md acknowledgments section

Disclosure coordination is handled on a case-by-case basis. We follow the principle of coordinated vulnerability disclosure (CVD) and will not disclose details before a patch is available unless mutually agreed.

There aren't any published security advisories