We take security seriously. If you discover a security vulnerability in Cordum, please report it responsibly.
Email: security@cordum.io
PGP Key: https://cordum.io/.well-known/pgp-key.asc
Key Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: Within 24 hours
- Status update: Within 72 hours
- Fix timeline: Depending on severity (see below)
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, authentication bypass | 24-48 hours |
| High | Privilege escalation, data exposure | 3-7 days |
| Medium | DoS, information disclosure | 7-14 days |
| Low | Minor issues, best practices | 30 days |
We follow coordinated disclosure:
- You report the vulnerability privately
- We acknowledge and investigate
- We develop and test a fix
- We release a patch and security advisory
- Public disclosure (typically 90 days after fix)
We currently do not have a formal bug bounty program, but we:
- Acknowledge security researchers in release notes
- Provide swag and recognition
- Consider commercial relationships for significant findings
| Version | Supported |
|---|---|
| 0.9.x | ✅ Active development |
| 0.8.x | ✅ Security fixes only |
| < 0.8 | ❌ No longer supported |
Cordum implements defense-in-depth security:
- ✅ RBAC with fine-grained permissions
- ✅ SSO/SAML integration (Enterprise)
- ✅ API key rotation
- ✅ JWT token validation
- ✅ TLS 1.3 for all network traffic
- ✅ Encryption at rest (configurable)
- ✅ Secrets management integration (Vault, AWS Secrets Manager)
- ✅ Audit logging (append-only, tamper-evident)
- ✅ Minimal container images (distroless)
- ✅ Non-root execution by default
- ✅ Network policy enforcement
- ✅ Resource limits and quotas
- ✅ Safety Kernel: policy-before-dispatch
- ✅ Approval gates for sensitive operations
- ✅ Job hash verification
- ✅ Workflow signature validation
- Frequency: Quarterly
- Scope: Code, dependencies, configurations
- Last audit: Q4 2025
- Status: Planned for Q2 2026
- Scope: Full stack security review
- Auditor: TBD
We actively monitor and update dependencies:
- 🔍 Automated scanning: Dependabot, Snyk
- 🔄 Update frequency: Weekly review, monthly updates
- 🚨 Critical CVEs: Patched within 48 hours
- CVE-2023-45283 (Go): Patched in v0.8.2 (Oct 2025)
- CVE-2023-44487 (HTTP/2): Mitigated in v0.8.1 (Oct 2025)
Our engineering team follows:
- ✅ Code review (2+ approvals required)
- ✅ Static analysis (golangci-lint, gosec)
- ✅ Dependency scanning (automated)
- ✅ Integration tests (security-focused scenarios)
- ✅ Threat modeling (for new features)
Cordum supports compliance with:
- SOC 2 Type II: Audit in progress
- GDPR: Data residency controls
- HIPAA: Encryption and audit logging
- FedRAMP: Roadmap for Q3 2026
- General inquiries: security@cordum.io
- Enterprise support: enterprise-support@cordum.io
- Legal/compliance: legal@cordum.io
We recognize security researchers who responsibly disclose vulnerabilities:
- Coming soon - be the first!
Last updated: January 2026 Next review: April 2026