Security is our top priority at AlphaBytez. We take all security reports seriously and appreciate responsible disclosure.

DO NOT create public GitHub issues for security vulnerabilities.

Instead, please email security reports to:

security@alphabytez.dev

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

1. Acknowledgment: Within 48 hours
2. Initial Assessment: Within 1 week
3. Status Updates: Every 2 weeks
4. Resolution: Varies by severity

• We aim to resolve critical issues within 30 days
• We will coordinate public disclosure with you
• You will be credited for the discovery (if desired)

We strongly recommend always running the latest version. Remember, the STING Community Edition offers no warranties or guarenteed support for ANY CE version.

STING-CE includes enterprise-grade security features:

• Passwordless Authentication: WebAuthn/Passkeys and Magic Links
• Multi-Factor Authentication: TOTP, SMS, and biometric options
• Session Management: AAL2 (Two-factor) session controls
• OAuth2/OIDC: Standard protocol support via Ory Kratos

• Vault Integration: HashiCorp Vault for secrets management
• PII Protection: Automatic serialization for sensitive data
• Encrypted Storage: All sensitive data encrypted at rest
• Secure Communication: TLS/HTTPS enforced

• Audit Logging: Comprehensive security event tracking
• Failed Login Detection: Rate limiting and blocking
• Session Monitoring: Suspicious activity detection
• Container Security: Isolated Docker services

• Zero-Trust Architecture: All services isolated and authenticated
• Network Segmentation: Docker networks for service isolation
• Secret Management: No hardcoded credentials
• Regular Updates: Security patches applied promptly

system:
  domain: your-domain.com
  protocol: https  # Always use HTTPS in production

• Require MFA for all admin accounts
• Enforce MFA for privileged operations
• Use hardware keys for critical accounts

email:
  mode: production
  production:
    provider: smtp
    # Use TLS/SSL
    port: 587  # or 465 for SSL
    # Never commit credentials
    username: ${EMAIL_USERNAME}
    password: ${EMAIL_PASSWORD}

# NEVER commit these to git
export DATABASE_PASSWORD="strong-password"
export VAULT_TOKEN="vault-token"
export OPENAI_API_KEY="your-api-key"

# Update STING-CE regularly
git pull origin main
./manage_sting.sh restart

# Update Docker images
docker compose pull
docker compose up -d

# Check authentication logs
docker compose logs kratos | grep -i "error\|fail"

# Check API logs
docker compose logs api | grep -i "unauthorized\|forbidden"

# Check Vault logs
docker compose logs vault | grep -i "denied\|error"

# Only expose necessary ports
# Production: 443 (HTTPS)
# Development: 8443 (HTTPS), 8025 (Mailpit)

sudo ufw allow 443/tcp
sudo ufw enable

database:
  # Use strong passwords
  password: ${DB_PASSWORD}  # From environment
  # Restrict connections
  host: localhost  # Not exposed externally

Before going to production:

• HTTPS enabled and working
• Email TLS/SSL configured
• Strong passwords for all services
• Environment variables used for secrets
• No hardcoded credentials in code

• Admin accounts use MFA
• Passwordless auth tested and working
• Session timeout configured
• Failed login rate limiting enabled

• Firewall configured (only necessary ports open)
• Docker containers use non-root users
• Vault unsealed and working
• Database not exposed externally
• Redis secured with password

• Audit logging enabled
• Log retention configured
• Security alerts set up
• Backup strategy in place

• Privacy policy updated
• Terms of service in place
• Data retention policy defined
• GDPR/CCPA compliance reviewed (if applicable)

Mailpit Email Catcher: In development mode, emails are caught by Mailpit (http://localhost:8025). This is NOT secure for production:

• All emails visible in web UI
• No authentication required
• Use only in development

Production should use a real SMTP provider with TLS.

Some services use host.docker.internal to access services on the host machine (e.g., Ollama LLM). Ensure:

• Host firewall rules are strict
• Only necessary services exposed
• Network segmentation in place

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• Docker Security: https://docs.docker.com/engine/security/
• Ory Kratos Security: https://www.ory.sh/docs/kratos/security
• Vault Security: https://www.vaultproject.io/docs/internals/security

For security inquiries or questions:

• Security Issues: security@alphabytez.dev
• General Contact: olliec@alphabytez.dev
• GitHub Issues: https://github.com/alphabytez/sting-ce/issues (non-security only)

We follow responsible disclosure practices:

1. Private Reporting: Report privately to security@alphabytez.dev
2. Assessment Period: Allow time for fix development
3. Coordinated Disclosure: Coordinate public disclosure
4. Credit: Security researchers credited (if desired)

We appreciate the security community's help in keeping STING-CE secure!

Security is a continuous process. Stay vigilant, stay updated, stay secure.

Developed by AlphaBytez