OpenRisk takes the security of our software products, services, and community seriously. We are committed to maintaining the highest standards of security to protect the data and privacy of our users.
If you believe you have found a security vulnerability in OpenRisk, please report it to us as described below. Please do not open public GitHub issues for security vulnerabilities.
Email: security@openrisk.io
PGP Key: Download our PGP key
CVSS Scoring: Please include CVSS v3.1 Base Score if available
When reporting a security vulnerability, please provide:
-
Description of the vulnerability
- What is the issue?
- What's the impact?
- How can it be exploited?
-
Affected versions
- Which versions of OpenRisk are affected?
- Is it in the latest version?
-
Steps to reproduce
- Provide clear steps to reproduce the issue
- Include proof-of-concept code if possible
-
Your contact information
- Name and email address
- Preferred communication method
- Whether you want to be credited
-
Timeline preferences
- Preferred disclosure timeline
- Any public disclosure date you have in mind
Subject: [SECURITY] SQL Injection in Risk API
Description:
The /api/v1/risks endpoint is vulnerable to SQL injection through the "name" parameter.
Affected Versions:
- OpenRisk v1.0.0 through v1.2.3
- Not affected: v1.2.4+
Steps to Reproduce:
1. Send POST request to /api/v1/risks
2. Include payload: {"name": "'; DROP TABLE risks; --"}
3. Database tables are deleted
Impact:
- Complete data loss
- Service disruption
- Data integrity violation
Proof of Concept:
[Include code snippet or cURL command]
Timeline:
- Discovered: 2026-03-02
- Reported: 2026-03-02
- Proposed fix timeline: 2026-03-09
We commit to:
- Acknowledge receipt within 24 hours
- Provide initial assessment within 3 business days
- Keep you updated at regular intervals
- Provide ETA for fix within 5 business days
- Release patch as soon as possible
- Credit the reporter (if desired) in security advisories
| Phase | Timeline | Action |
|---|---|---|
| Initial Response | Within 24 hours | We acknowledge receipt of your report |
| Triage | Within 3 days | We assess severity and impact |
| Analysis | Within 7 days | We analyze the vulnerability thoroughly |
| Fix Development | Within 14 days | We develop and test a fix |
| Pre-release Testing | Within 21 days | We complete security testing |
| Patch Release | Within 30 days | We release a security patch |
| Public Disclosure | 30+ days after fix | We publish a security advisory |
Note: Critical vulnerabilities may have accelerated timelines.
- Remote code execution
- Complete data breach
- Service-wide compromise
- Response time: 4 hours
- Fix release: 24-48 hours
- Authentication bypass
- Significant data exposure
- Major functionality compromise
- Response time: 8 hours
- Fix release: 5-7 days
- Partial data exposure
- Authentication issues
- DoS possibilities
- Response time: 24 hours
- Fix release: 10-14 days
- Limited impact
- Information disclosure
- Low-impact bugs
- Response time: 3-5 days
- Fix release: 30 days
- Keep dependencies updated - Run
npm auditandgo mod tidyregularly - Use parameterized queries - Always escape user input
- Enable HTTPS/TLS - Encrypt all data in transit
- Implement authentication - Use industry-standard methods
- Validate input - Never trust user input
- Use secrets management - Never hardcode credentials
- Implement CORS properly - Restrict cross-origin requests
- Log security events - Track suspicious activities
- Review code changes - Require peer review for all PRs
- Keep OpenRisk updated - Deploy patches promptly
- Use strong credentials - Enforce password policies
- Enable 2FA - Use multi-factor authentication
- Monitor access logs - Review audit logs regularly
- Restrict network access - Use firewalls and VPNs
- Backup data - Maintain regular backups
- Update dependencies - Keep all packages current
- Use RBAC - Implement role-based access control
- Encrypt sensitive data - Use encryption at rest
- Use strong passwords - At least 16 characters, mixed case
- Enable 2FA - Use authenticator apps or hardware keys
- Review API keys - Rotate keys periodically
- Check audit logs - Monitor account activity
- Report suspicious activity - Contact support immediately
- Keep software updated - Apply patches when available
OpenRisk implements industry-standard security headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
We perform:
- Static code analysis - Automated security scanning
- Dependency scanning - Vulnerability detection in packages
- Dynamic testing - Runtime security validation
- Penetration testing - Manual security testing
- Compliance audits - Industry standard reviews
We conduct regular third-party security audits. Reports are available upon request.
Check for known vulnerabilities in OpenRisk dependencies:
# Backend
go list -json -m all | nancy sleuth
# Frontend
npm audit
yarn auditWe follow a coordinated disclosure policy:
- Report privately - Send report to security@openrisk.io
- We'll confirm receipt - Response within 24 hours
- Work together - Collaborate on fix development
- Agree on timeline - Typically 30-90 days
- Simultaneous release - Patch and advisory released together
- Credit given - Public acknowledgment (if desired)
After a fix is released, we will:
- Publish a security advisory on GitHub
- List the CVE if applicable
- Provide upgrade instructions
- Update our security page
Scenario 1: Simple Fix
- Day 1: Report received
- Day 3: Fix developed and tested
- Day 5: Patch released
- Day 5: Public advisory published
Scenario 2: Complex Fix
- Day 1: Report received
- Day 7: Fix developed and tested
- Day 14: Extended testing completed
- Day 14: Patch released
- Day 14: Public advisory published
Only the latest version of OpenRisk receives security updates.
| Version | Release Date | End of Life | Status |
|---|---|---|---|
| 1.4.x | 2026-03-02 | 2027-03-02 | Supported |
| 1.3.x | 2025-12-01 | 2026-09-01 | Supported |
| 1.2.x | 2025-09-01 | 2026-06-01 | Limited |
| 1.1.x | 2025-06-01 | 2026-03-01 | Limited |
| < 1.1 | - | Ended | Unsupported |
Note: We recommend always upgrading to the latest version.
- GitHub Security Advisory - https://github.com/opendefender/OpenRisk/security/advisories
- Dependencies - https://github.com/opendefender/OpenRisk/network/dependencies
- Security Policy - This file
- Code of Conduct - CODE_OF_CONDUCT.md
OpenRisk aims to comply with:
- OWASP Top 10 - Web application security
- NIST Cybersecurity Framework - Risk management
- ISO/IEC 27001 - Information security management
- GDPR - Data protection regulation
- SOC 2 - Service organization compliance
- Email: security@openrisk.io
- Response time: Within 24 hours
- General inquiries: info@openrisk.io
- Compliance: compliance@openrisk.io
- Privacy: privacy@openrisk.io
- Security Advisories - https://github.com/opendefender/OpenRisk/security/advisories
- Dependency Scanning - https://github.com/opendefender/OpenRisk/security/dependabot
- Code Scanning - https://github.com/opendefender/OpenRisk/security/code-scanning
- Security Documentation - https://docs.openrisk.io/security
A: We do not offer a bug bounty program at this time, but we do offer recognition and credit for responsible disclosures.
A: Please wait for our fix to be released and coordinated disclosure to be complete. Typically 30 days after initial report.
A: If you don't receive a response within 48 hours, please email conduct@openrisk.io to escalate.
A: Yes. We will only disclose information you authorize us to share.
A: Security patches are released as minor version updates (e.g., 1.2.3 -> 1.2.4) with detailed release notes explaining the fix.
This security policy is based on industry best practices from:
Last Updated: March 2, 2026
Version: 1.0
Next Review: June 2, 2026
Thank you for helping keep OpenRisk secure!