We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Go to the Security tab of this repository
- Click on "Report a vulnerability"
- Fill out the form with details about the vulnerability
Send an email to: security@grid-labs.tech
Please include the following information:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Location of the affected source code (file path, tag, or commit)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how it might be exploited
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 90 days (depending on complexity)
- We will acknowledge receipt of your vulnerability report
- We will send you regular updates about our progress
- We will notify you when the vulnerability is fixed
- We will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)
When contributing to Tron, please follow these security guidelines:
- Never hardcode credentials or secrets
- Use environment variables for sensitive configuration
- Implement proper input validation
- Follow the principle of least privilege
- Sanitize all user inputs
- Use parameterized queries to prevent SQL injection
- Encrypt sensitive data at rest and in transit
- Never log sensitive information
- Keep dependencies up to date
- Review security advisories for dependencies
- Use only trusted and well-maintained packages
- Follow Kubernetes security best practices
- Use RBAC with minimal permissions
- Validate all user-provided Kubernetes manifests
- Never run containers as root unless necessary
Tron includes the following security features:
- Authentication: JWT-based authentication with refresh tokens
- Authorization: Role-based access control (RBAC)
- Secrets Management: Kubernetes Secrets integration
- Audit Logging: Activity tracking for compliance
- Input Validation: Server-side validation for all inputs
- HTTPS: TLS encryption for all communications
We currently do not have a bug bounty program, but we deeply appreciate security researchers who take the time to report vulnerabilities responsibly.
For any security-related questions, contact: security@grid-labs.tech