| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| 0.2.x | ✅ |
| < 0.2 | ❌ |
Please open a GitHub issue for security vulnerabilities.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Resolution Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: 60 days
- Acknowledgment of your report
- Assessment of the vulnerability
- Development of a fix
- Coordinated disclosure (if applicable)
- Credit in release notes (unless you prefer anonymity)
ArgusCloud implements the following security measures:
- JWT Authentication: Using PyJWT library with HS256 algorithm
- API Key Support: SHA256-hashed keys with constant-time comparison
- Token Expiration: Configurable JWT expiry (default: 1 hour)
- Cypher Query Whitelist: Only read-only queries allowed (MATCH...RETURN, CALL db., CALL apoc.)
- Pydantic Models: Request validation for all API endpoints
- Profile Name Validation: Alphanumeric with limited special characters
- AWS Credential Validation: Format validation for access keys
- Credential Handling: AWS credentials cleared from memory after use
- CORS Configuration: Specific origin validation (no wildcards)
- Zip Bomb Protection: Size and file count limits for uploads
- Neo4j Connection: Supports authenticated connections
- Environment Variables: Sensitive config via environment only
- No Credential Storage: Credentials never persisted to disk
When deploying ArgusCloud:
- Use HTTPS: Always deploy behind TLS-terminating proxy
- Restrict CORS: Configure
ARGUSCLOUD_CORS_ORIGINSappropriately - Secure Neo4j: Enable authentication, use strong passwords
- Network Isolation: Run API and Neo4j in private network
- Least Privilege: Use read-only Neo4j users where possible
- Audit Logging: Enable logging for security events
- Regular Updates: Keep ArgusCloud and dependencies updated
Security advisories will be published via:
- GitHub Security Advisories
- Release notes
The following are in scope for security reports:
- ArgusCloud API server vulnerabilities
- Authentication/authorization bypasses
- Injection vulnerabilities (Cypher, command, etc.)
- Sensitive data exposure
- Denial of service vulnerabilities
The following are out of scope:
- Social engineering attacks
- Physical security
- Third-party service vulnerabilities
- Issues in development/test configurations
For security-related questions that don't require private disclosure, please open a GitHub Discussion.
Thank you for helping keep ArgusCloud secure!