Security policy.
Goderash is audit infrastructure. Security is not a feature — it is the foundation. We take every report seriously and respond within 72 hours.
Responsible disclosure
If you discover a security vulnerability in Goderash (the open-source project or the hosted control plane), please report it privately before public disclosure.
Email: security@goderash.com
PGP: available on request.
We ask that you give us reasonable time to investigate and patch before disclosing publicly. We will acknowledge your report within 72 hours and provide a timeline for remediation.
Scope
The following are in scope for responsible disclosure:
- Authentication and authorization bypasses
- Cross-tenant data access (tenant isolation violations)
- Hash-chain tampering that is not caught by
/v1/verify - API key or secret exposure
- Injection vulnerabilities (SQL, command, SSRF)
- Evidence pack integrity issues
Out of scope: social engineering, DoS without an exploitable path, or issues in dependencies we do not control.
Our security baseline
- All API keys are scoped to a single tenant — cross-tenant reads are structurally impossible through the public API
- Per-tenant advisory locks serialize chain extension; no race condition on hash-chain writes
- Events are append-only; no update or delete path exists on the ledger
- Control plane runs in a non-root container (uid 1001)
- Secrets validated at startup via Pydantic-settings; missing config crashes immediately
- SAST (bandit, semgrep) runs on every CI push
Coordinated disclosure timeline
We follow a 90-day coordinated disclosure window. We will work with reporters to ensure a CVE is published alongside our patch when appropriate.