We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: aether-security@kitumsystems.com
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Status Updates: Every 7 days until resolved
- Resolution Target: 90 days for critical issues, 180 days for others
- Day 0: Vulnerability reported
- Day 1: Acknowledgment sent
- Day 3: Initial assessment completed
- Day 7-90: Fix development and testing
- Day 90+: Public disclosure (coordinated with reporter)
We do not currently offer a bug bounty program, but we recognize security researchers in our Hall of Fame.
Authentication:
- Use strong, unique passwords
- Enable multi-factor authentication (MFA)
- Rotate API keys every 90 days
- Use short-lived tokens where possible
Network Security:
- Deploy in private VPC
- Use security groups to restrict access
- Enable VPC Flow Logs
- Use TLS 1.2+ for all connections
Data Protection:
- Enable encryption at rest (KMS)
- Enable encryption in transit (TLS)
- Regular backups with encryption
- Implement least-privilege access
Monitoring:
- Enable CloudTrail audit logging
- Monitor CloudWatch alarms
- Review access logs regularly
- Set up alerting for suspicious activity
Code Security:
- Run security scanners on every commit
- Fix critical/high vulnerabilities immediately
- Review dependencies for known CVEs
- Never commit secrets to version control
Testing:
- Write security-focused tests
- Test authentication and authorization
- Validate input sanitization
- Test error handling
Dependencies:
- Keep dependencies up to date
- Review dependency licenses
- Pin dependency versions
- Use lock files (go.sum, package-lock.json)
- JWT-based authentication with HS256 signing (RS256 supported via key files)
- Multi-tenancy isolation enforced at API and data layers
- Role-based access control (RBAC) for fine-grained permissions
- API key authentication for service-to-service communication
- Encryption at rest: AES-256 via AWS KMS
- Encryption in transit: TLS 1.2+ for all connections
- Secrets management: AWS Secrets Manager integration
- Password hashing: bcrypt with cost factor 12
- Private VPC deployment
- Security groups with least-privilege rules
- Network segmentation (public/private subnets)
- VPC Flow Logs for traffic monitoring
- CloudTrail for API audit logging (7-year retention)
- VPC Flow Logs for network monitoring
- Structured logging with correlation IDs
- Metrics and alerting via Prometheus/CloudWatch
- Input validation on all API endpoints
- SQL injection prevention via parameterized queries
- Command injection prevention via input validation
- Rate limiting to prevent abuse
- Circuit breakers to prevent cascading failures
We use multiple security tools in our CI/CD pipeline:
- Trivy: Container and filesystem vulnerability scanning
- tfsec: Terraform security analysis
- Checkov: Infrastructure as code compliance
- Gosec: Go code security scanning
- Docker Scout: Container CVE scanning
- TruffleHog: Secret detection in code
- Dependency Review: Automated dependency vulnerability checking
All scans run on:
- Every pull request
- Every commit to main/develop
- Daily scheduled scans
- Manual workflow dispatch
| Severity | Response Time | Fix Target |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 72 hours | 30 days |
| Medium | 7 days | 90 days |
| Low | 30 days | 180 days |
- Detection: Automated scanning or manual report
- Triage: Assess severity and impact
- Assignment: Assign to security team
- Fix: Develop and test patch
- Release: Deploy fix to production
- Disclosure: Public disclosure (if warranted)
- P0 (Critical): Data breach, system compromise, widespread outage
- P1 (High): Unauthorized access, data exposure, partial outage
- P2 (Medium): Failed attack attempt, suspicious activity
- P3 (Low): Security policy violation, minor misconfiguration
- Incident Commander: Coordinates response
- Security Engineer: Investigates and mitigates
- Operations Engineer: System recovery
- Communications Lead: Stakeholder updates
- Detection: Alert triggered or issue reported
- Assessment: Determine severity and scope
- Containment: Stop active breach/attack
- Eradication: Remove threat from environment
- Recovery: Restore normal operations
- Lessons Learned: Post-incident review
Aether is designed to support:
- SOC 2 Type II compliance
- GDPR data protection requirements
- HIPAA (with additional configuration)
- PCI DSS (for payment data handling)
Specific compliance requirements:
- Audit logging with 7-year retention
- Encryption at rest and in transit
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- General Security: aether-security@kitumsystems.com
- Vulnerability Reports: aether-security@kitumsystems.com
- Compliance Questions: aether@kitumsystems.com
We thank the following security researchers for responsible disclosure:
- Coming soon
Last Updated: 2026-02-07 Version: 1.0.0