At RubixKube, we take security seriously. We appreciate the efforts of security researchers and community members who help us maintain the security and integrity of our platform.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report security vulnerabilities directly to our security team using one of the following methods:
- Email: security@rubixkube.ai
- PGP Key: Available on request for encrypted communications
- Response Time: We aim to acknowledge security reports within 24 hours
- GitHub Security Advisory: Use GitHub's private vulnerability reporting
- HackerOne: We may establish a bug bounty program in the future
To help us investigate and respond quickly, please include the following information in your security report:
- Vulnerability Type: (e.g., XSS, SQL Injection, Authentication Bypass)
- Affected Component: (e.g., API, Dashboard, Agent, etc.)
- Severity Assessment: (Critical, High, Medium, Low)
- Affected Versions: Which versions of RubixKube are impacted
- Steps to Reproduce: Clear, step-by-step instructions
- Proof of Concept: Code or commands that demonstrate the issue
- Expected vs Actual Behavior: What should happen vs. what actually happens
- Environment Details: OS, Kubernetes version, RubixKube version, etc.
- Screenshots: If applicable and helpful
- Error Messages: Full error logs and stack traces
- Network Traffic: Relevant HTTP requests/responses
- Configuration: Any special configuration that may be relevant
- We will acknowledge your report within 24 hours
- We will assign a primary point of contact for follow-up questions
- We may request additional information if needed
- Our security team will investigate the reported vulnerability
- We may reach out for clarification or additional details
- Investigation typically takes 1-7 days depending on complexity
- Critical/High Severity: Initial fix within 7 days, full resolution within 30 days
- Medium Severity: Initial fix within 30 days, full resolution within 90 days
- Low Severity: Addressed in regular release cycle
- We will keep you updated on our progress
- You will be notified when the vulnerability is fixed
- You may be credited in our security acknowledgments (with permission)
We believe in responsible disclosure and ask that you:
- Do not exploit the vulnerability for malicious purposes
- Do not disclose the vulnerability publicly until we have addressed it
- Give us reasonable time to investigate and fix the issue
- Test on non-production systems only
- We will coordinate public disclosure with you
- Security fixes are typically released as part of our regular update cycle
- We may publish security advisories on our security page
We consider security research conducted in accordance with this policy to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
- Exempt from our Terms of Service prohibition against reverse engineering
- Protected under our commitment not to pursue legal action
- Keep RubixKube updated to the latest version
- Use strong authentication methods
- Follow the principle of least privilege for API keys and access tokens
- Regularly rotate credentials and API keys
- Monitor your deployments for unusual activity
- Encrypted Communication: All API communications use TLS 1.3
- Access Controls: Role-based access control (RBAC) for platform features
- Audit Logging: Comprehensive logging of security-relevant events
- Automated Updates: Security patches are automatically applied where possible
We use the following severity guidelines to prioritize security issues:
| Severity | Description | Examples |
|---|---|---|
| Critical | Remote code execution, complete data breach, full system compromise | RCE, SQL injection leading to data exfiltration |
| High | Significant data exposure, privilege escalation, authentication bypass | Token theft, unauthorized data access |
| Medium | Limited data exposure, denial of service, information disclosure | DoS affecting single user, limited info leak |
| Low | Minor issues, best practice violations, cosmetic problems | Missing security headers, typos in security docs |
This security policy applies to:
- RubixKube Platform: Core application and services
- Documentation: Security-related documentation issues
- Infrastructure: Cloud infrastructure and deployment configurations
- Dependencies: Third-party libraries and dependencies we maintain
Out of Scope:
- Issues in third-party services (report to respective vendors)
- Social engineering or physical security
- Distributed Denial of Service (DDoS) attacks
We would like to thank the following individuals for their responsible disclosure of security vulnerabilities:
- Security researcher names will be added here with their permission
- Historical acknowledgments will be maintained here
- Security Best Practices: Guidelines for secure deployment
- API Security: Authentication and authorization details
- Compliance: SOC 2, GDPR, and other compliance information
- General Support: support@rubixkube.ai
- Security Questions: security@rubixkube.ai
- Community Slack: #security channel
This security policy may be updated periodically. The latest version is always available at:
- GitHub: rubixkube-io/docs/SECURITY.md
- Website: rubixkube.ai/security
Thank you for helping keep RubixKube and our community safe! π‘οΈ
Report received? We'll respond within 24 hours. Let's work together to make RubixKube the most secure infrastructure platform possible.