We actively support the latest version of Monitoring Hub. Security updates are applied to the main branch and deployed automatically to production.

If you discover a security vulnerability in Monitoring Hub, please report it responsibly:

1. GitHub Security Advisories: Use the Security Advisories feature on GitHub

   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability
   • We will respond within 48 hours

2. Email: Contact the maintainer directly

   • Email: Maintainer GitHub profile
   • Include "SECURITY" in the subject line
   • Provide steps to reproduce the vulnerability

Please provide:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity
• Any proof-of-concept code (if applicable)
• Your contact information for follow-up

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 7-14 days
  • High: 14-30 days
  • Medium/Low: Next regular release

• We will coordinate disclosure with you
• Vulnerabilities will be disclosed after a fix is available
• Credit will be given to reporters (unless anonymity is requested)

Monitoring Hub implements several security best practices:

• Static Analysis: Bandit security scanner runs on all PRs
• Dependency Scanning: pip-audit checks for vulnerable dependencies
• Container Scanning: Trivy scans container images for vulnerabilities
• Automated Updates: Dependabot monitors and updates dependencies

• Timeouts: All HTTP requests include timeouts to prevent hanging
• Retry Logic: Exponential backoff with retry limits for network operations
• TLS/HTTPS: All external communications use HTTPS

• Input Validation: Strict manifest schema validation with marshmallow
• Template Security: Jinja2 templates use autoescape to prevent injection
• Artifact Verification: All packages published to GitHub Releases with checksums

• Base Images: Use official Red Hat UBI minimal images
• Non-Root: Containers run as non-privileged users where possible
• Read-Only: Filesystem mounted as read-only where applicable

When deploying Monitoring Hub:

1. Use Latest Version: Always use the latest stable release
2. Scan Images: Run container security scans before deployment
3. Network Isolation: Deploy in isolated network segments
4. Access Control: Restrict access to build artifacts and manifests
5. Monitor Dependencies: Enable Dependabot alerts in your fork

• Maintainer: @SckyzO
• Security Issues: Use GitHub Security Advisories
• General Questions: Open a GitHub Discussion

We thank the security research community for responsibly disclosing vulnerabilities and helping improve the security of Monitoring Hub.