Security Policy — EOLkits

Supported Versions

Reporting Security Vulnerabilities

Please do not file public issues for security vulnerabilities.

Instead:

1. Open a private vulnerability report on GitHub:

• Go to https://github.com/ntoledo319/EOLkits/security/advisories
• Click "Report a vulnerability"

1. Or contact via GitHub Discussions with "[SECURITY]" prefix

Expected response time: 48 hours

Security Measures

Code

• All code MIT licensed and open for audit
• 116 passing tests across all kits
• Deterministic builds (byte-identical output)
• Reproducible releases with SBOMs
• Sigstore-signed binaries

Infrastructure

• GRACE-managed VPS deployment with host Caddy, Docker, and satellite monitoring
• Stripe for payments (PCI DSS Level 1)
• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Uploaded files auto-deleted after 30 days
• No plaintext credential storage

GitHub App

• Minimum required permissions only
• No access to private code without explicit install
• .no-eolkits opt-out file supported
• Abuse endpoint for immediate blocking

Bug Bounty

Status: Active (in-system credits only, no cash pre-revenue)

Scope:

• https://eolkits.com/*
• https://eolkits.com/health and EOLkits API paths on the same host
• GitHub App webhooks
• Open-source CLI tools

Out of scope:

• Third-party services (Stripe, GitHub, hosting providers)
• Social engineering
• DOS/availability issues
• Physical security

Safe Harbor

We support safe harbor for security researchers:

• No legal action for good-faith research
• No DMCA actions for bypassing copy protection (there is none)
• Please avoid: data destruction, privacy violations, DOS

Security Checklist for Users

• [ ] Verify CLI signatures before use (cosign verify)
• [ ] Review generated PRs before merging
• [ ] Use least-privilege IAM roles for scanning
• [ ] Enable 2FA on your GitHub account
• [ ] Review the .no-eolkits file option for opt-out

Incident History

*This security policy follows coordinated disclosure principles.*