Skip to content

Security: STARTcloud/core_provisioner

SECURITY.md

Security Policy

Supported Versions

Only the latest release is supported. Always consume the newest tagged version.

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Preferred Method: Security Advisory

  1. Go to the GitHub Security Advisory page
  2. Click "Report a vulnerability"
  3. Fill out the advisory form with detailed information
  4. Submit the advisory

What to Include

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Affected versions (if known)
  • Suggested fix (if you have one)

Response Process

Due to limited development resources:

  • Initial Response: we aim to acknowledge receipt within 48–72 hours
  • Assessment: initial assessment within about a week
  • Resolution: timeline depends on severity, typically 1–4 weeks
  • Disclosure: coordinated disclosure after a fix is available

Focus Areas

Core Provisioner is a Vagrant driver that runs on a developer or build host. The security-relevant areas are:

  • The bootstrap SSH keypair (ssh_keys/) — deliberately public, exactly like Vagrant's well-known insecure key. It exists only to reach a freshly booted box. Machines that keep it reachable after provisioning are misconfigured: enable vagrant_ssh_insert_key so the key is rotated and synced back at provision time.
  • The certificate set (ssls/) — a deliberately public development CA and default-signed pair, shipped inside the driver and synced to /secure/ on dev machines. It exists so dev machines have working TLS out of the box. Never add it to a production trust store; bring your own certificates by replacing the files in the working copy's driver/ssls/.
  • Hosts.yml is trusted input — values from it are interpolated into provider and shell commands on the host. Only run configurations you wrote or trust.
  • Release integrity — release assets are immutable and ship .sha256 sidecars; consumers must verify checksums after download.
  • Supply chain — Dependabot and CodeQL run against this repository.

Acknowledgments

Contributors who responsibly report security vulnerabilities will be acknowledged here (with their permission):

  • No vulnerabilities reported yet

There aren't any published security advisories