Currently, only the latest version of Keystone receives security updates.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
If you discover a security vulnerability, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
Instead, please send an email to: security@archebase.com
Include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: The potential impact of the vulnerability
- Steps to reproduce: Detailed steps to reproduce the issue
- Proof of concept: If applicable, include a proof of concept
- Affected versions: Which versions are affected
- Confirmation: You will receive an email acknowledging receipt of your report
- Assessment: We will assess the vulnerability and determine its severity
- Resolution: We will work on a fix and coordinate disclosure with you
- Disclosure: We will announce the security fix when a patch is available
We aim to respond to security reports within 48 hours and provide regular updates on our progress.
When using Keystone with untrusted data:
- Validate Input: Always validate data from untrusted sources
- Least Privilege: Run services with the minimum required permissions
- Secrets Management: Store credentials and tokens securely, never commit them to source control
- Resource Limits: Set appropriate limits on request sizes and processing time
- Keep Updated: Use the latest version to benefit from security fixes
Keystone includes several security-conscious design choices:
- Input Validation: Request validation and structured API handling
- Service Separation: Clear boundaries between API, storage, and background service components
- Dependency Hygiene: Go modules and automated dependency management help reduce risk
We regularly update dependencies to address security vulnerabilities:
- Automatic dependency updates via Dependabot or equivalent tooling
- Regular security reviews of dependencies
- Minimal dependency footprint where practical to reduce attack surface
We follow coordinated disclosure:
- Fix the vulnerability
- Release a new version
- Publish a security advisory (if applicable)
- Announce the fix
We do not disclose vulnerability details before a fix is available, unless the vulnerability is already publicly known.