Report privately to the sole maintainer:
- Email: andersonfilho09@gmail.com
- Optional PGP: (to be added)
Do NOT create a public issue for vulnerabilities.
| Phase | Target SLA |
|---|---|
| Acknowledge report | ≤ 48 hours |
| Initial triage / severity classification | ≤ 5 business days |
| Fix or mitigation for High/Critical | ≤ 30 days |
| Fix or mitigation for Medium | ≤ 60 days |
| Fix or plan for Low | ≤ 90 days |
If a deadline cannot be met, we will provide status updates.
In scope (current / planned components):
- API Gateway (Go)
- User & Game Services (Java)
- Recommendation Service (Python)
- Messaging envelope & ingestion pipeline (Kafka / RabbitMQ)
Out of scope:
- Third-party platforms (Steam, console APIs) except how we store their returned data
- User browsers / devices (client vulnerabilities outside our code)
- Authentication / authorization flaws
- Data exposure (PII, tokens)
- Injection (SQL, command, template)
- Deserialization, RCE
- SSRF, CSRF, XSS
- Privilege escalation
- Broken access control on endpoints or messages
- Missing security headers with low practical impact
- Rate limiting absence (unless it leads to proven exploit)
- Use of deprecated libraries without demonstrated exploit
- Best practice suggestions without tangible risk
We prefer coordinated disclosure; do not publicly share details until a fix is released or 90 days have passed (whichever earlier), unless mutually agreed otherwise.
| Version | Supported | Notes |
|---|---|---|
| 0.1.0 (current) | Yes | Initial public documentation baseline |
Future: Intend to support N (latest) and N-1 minor versions for 90 days post new minor release.
- Receipt & acknowledgment
- Triage: severity (CVSS preliminary)
- Reproduce & log internally (private tracker)
- Patch development + code review (security focus)
- Regression + security tests
- Release (tag & changelog Security section)
- Credit reporter (if desired & safe)
- Dependency scanning (SCA)
- Static code analysis (SAST)
- Container image vulnerability scanning
- Infrastructure as Code scanning
- Secret scanning (pre-commit + CI)
- SBOM generation per release
If you believe data is actively being exploited, use subject: URGENT SECURITY and describe observed indicators.
- Least privilege (service accounts scoped per service)
- Encryption in transit (TLS >=1.2)
- Encryption at rest (database & backups) planned
- Token revocation & audit logging roadmap
We use CVSS v3.1 base scoring to prioritize remediation. High (7.0–8.9) and Critical (9.0–10.0) receive expedited handling. Contextual/environmental adjustments may be applied for internal-only components.
- Bug bounty scope definition
- PGP key publication
- Automated vulnerability disclosure (security.txt)