Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@aidevelopertraining.com

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your security report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the issue
• Location of affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact assessment of the issue
• Suggested fix (if you have one)

We release patches for security vulnerabilities in the following versions:

Gowlin implements multiple layers of security to protect against various threats:

• Firecracker microVMs provide hardware-level isolation for user code execution
• Resource limits prevent resource exhaustion attacks (CPU, memory, disk, network)
• Namespace isolation ensures processes cannot escape their containers
• Seccomp filtering blocks dangerous system calls

• Strict validation of all user inputs using Pydantic models
• Sanitization of file paths and command arguments
• Size limits on uploaded files and request payloads
• Content type validation for file uploads

• Restricted egress to only approved external endpoints
• No inbound connections from sandbox environments
• TLS encryption for all external communications
• Certificate pinning for critical API endpoints

• API key authentication with proper rotation policies
• Rate limiting to prevent abuse
• Audit logging of all authentication attempts
• Principle of least privilege for all operations

• Static analysis with Bandit for security vulnerabilities
• Dependency scanning to identify vulnerable packages
• Secrets detection to prevent credential leaks
• Regular security audits of the codebase

• Encrypted storage of sensitive configuration data
• Secure key management using environment variables
• Regular security updates for all dependencies
• Incident response procedures for security events

We employ various security testing methods:

• Static Application Security Testing (SAST) with Bandit
• Dependency vulnerability scanning with pip-audit
• Container security scanning with Trivy
• Penetration testing of the sandbox environment
• Fuzzing of input validation routines

We track the following security metrics:

• Time to patch critical vulnerabilities (target: <24 hours)
• Number of security issues found in code review
• Percentage of dependencies with known vulnerabilities
• Sandbox escape attempts detected
• Rate limiting effectiveness

In case of a security incident:

1. Immediate containment of the affected systems
2. Assessment of the scope and impact
3. Notification of affected users within 24 hours
4. Remediation and patch deployment
5. Post-incident review and process improvements

• OWASP Top 10
• CWE Top 25
• NIST Cybersecurity Framework
• Docker Security Best Practices

We maintain a hall of fame for security researchers who have responsibly disclosed vulnerabilities:

Coming soon...

• Security Team: security@aidevelopertraining.com
• PGP Key: Available upon request
• Response Time: 48 hours maximum

Thank you for helping keep Gowlin and our community safe.