Skip to content

Security Policy

Reporting Security Vulnerabilities

The StrataRouter team takes security seriously. We appreciate your efforts to responsibly disclose your findings.

How to Report

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, report security issues via:

Email: support@stratarouter.com
PGP Key: Download

What to Include

Please include:

  • Description - Clear description of the vulnerability
  • Impact - Potential security impact
  • Reproduction - Steps to reproduce
  • Affected Versions - Which versions are affected
  • Suggested Fix - If you have ideas

Response Timeline

  • 24 hours - Initial response acknowledging receipt
  • 72 hours - Initial assessment of severity
  • 7 days - Detailed response with remediation plan
  • 30 days - Target fix deployment (critical issues prioritized)

Severity Classification

Critical (CVSS 9.0-10.0)

  • Remote code execution
  • Authentication bypass
  • Data exfiltration
  • Response: Immediate hotfix within 24-48 hours

High (CVSS 7.0-8.9)

  • Privilege escalation
  • SQL injection
  • Cross-site scripting (XSS)
  • Response: Fix within 7 days

Medium (CVSS 4.0-6.9)

  • Information disclosure
  • Denial of service
  • Response: Fix within 30 days

Low (CVSS 0.1-3.9)

  • Minor information leakage
  • Response: Fix in next regular release

Security Best Practices

For Deployment

1. Use HTTPS Everywhere 

# Always use TLS
server:
  tls:
    enabled: true
    cert: /etc/ssl/server.crt
    key: /etc/ssl/server.key

2. Enable Authentication 

auth:
  enabled: true
  method: saml  # or oauth2, api_key
  require_mfa: true

3. Restrict Network Access 

security:
  ip_allowlist:
    - 10.0.0.0/8
    - 172.16.0.0/12

4. Regular Updates 

# Stay up to date
pip install --upgrade stratarouter

# Subscribe to security advisories
# GitHub: Watch → Custom → Security alerts

5. Audit Logging 

audit:
  enabled: true
  backend: postgresql
  retention_days: 365

For Development

1. Secure Dependencies 

# Check for vulnerabilities
pip install safety
safety check

# Keep dependencies updated
pip install --upgrade-strategy eager -U

2. Code Review - All changes require review - Security-focused reviews for auth/crypto code - Use automated security scanning

3. Secret Management 

# ❌ DON'T hardcode secrets
api_key = "sk-1234..."

# ✅ DO use environment variables
import os
api_key = os.environ["OPENAI_API_KEY"]

# ✅ DO use secret management
from vault import get_secret
api_key = get_secret("openai_api_key")

4. Input Validation 

# Always validate user input
def route(query: str):
    if len(query) > 10000:
        raise ValueError("Query too long")
    if not query.strip():
        raise ValueError("Empty query")
    # Process...

Security Features

Built-In Protections

1. Rate Limiting - Prevents abuse and DoS attacks - Configurable per-user/per-IP limits - Automatic blocking of excessive requests

2. SQL Injection Prevention - Parameterized queries only - ORM-based data access - Input sanitization

3. XSS Prevention - Content Security Policy headers - Output encoding - HTML sanitization

4. CSRF Protection - CSRF tokens for state-changing operations - SameSite cookie attributes - Origin validation

Enterprise Security

See Enterprise Security for: - Zero-trust architecture - SSO/SAML integration - Multi-factor authentication - Advanced audit logging - Encryption at rest and in transit

Known Security Issues

Current Advisories

Check GitHub Security Advisories for current issues.

Past Vulnerabilities

We maintain a transparent history of security issues and fixes in our Security Changelog.

Security Updates

Subscribing to Updates

GitHub: 1. Go to StrataRouter repository 2. Click "Watch" → "Custom" 3. Select "Security alerts"

Email: Subscribe to support@stratarouter.com

RSS: https://stratarouter.com/security.rss

Security Releases

Security fixes are released as: - Patch releases - For supported versions (e.g., 0.2.1) - Backports - For LTS versions - Hotfixes - For critical vulnerabilities

Bug Bounty Program

We operate a private bug bounty program for security researchers.

Rewards: - Critical: $5,000 - $10,000 - High: $1,000 - $5,000 - Medium: $500 - $1,000 - Low: $100 - $500

Eligibility: - First reporter of vulnerability - Clear proof of concept - Responsible disclosure

Contact support@stratarouter.com to participate.

Security Compliance

StrataRouter maintains compliance with: - SOC 2 Type II - ISO 27001 - HIPAA - GDPR - PCI DSS (for payment features)

See Compliance for details.

Contact

Security Team: support@stratarouter.com
PGP Key: Download
Fingerprint: 1234 5678 9ABC DEF0 1234 5678 9ABC DEF0 1234 5678

Security is a continuous process. Stay vigilant.