Security & Responsible Disclosure

Stella Ops Suite is designed for verifiable release governance:

  • Releases are Cosign-signed
  • Evidence exports are DSSE-attested
  • Policies and decisions can be replayed deterministically for audit

Report a vulnerability

Email: security@stella-ops.org

PGP: 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723

Please include:

  • Impact + affected component/version
  • Reproduction steps or PoC
  • Relevant logs/screenshots
  • Your preferred disclosure timeline

We acknowledge within 72 hours and keep you informed until a fix is published.

Verify what you run

Keys: /keys/

Verify a container image

cosign verify \
  --key https://stella-ops.org/keys/cosign.pub \
  registry.stella-ops.org/stella-ops/stella-ops:<VERSION>

Verify an Offline Kit tarball + signed manifest

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
  stella-ops-offline-kit-<DATE>.tgz

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature offline-manifest-<DATE>.json.jws \
  offline-manifest-<DATE>.json

Safeguards in service

  • Release integrity: Cosign signatures + DSSE bundles referencing the exact Git tag
  • Evidence chain: Decision Capsules are signed and replayable (see /evidence/)
  • Access logs: stored 7 days, then ip → sha256(ip)
  • JWT access ledger: stores token-ID hash only (no email/IP)
  • Token validation: can be verified offline using published public keys
  • Container hardening: non-root UID, CPU/RAM limits, SELinux/AppArmor support
  • Air-gap parity: Offline Kit (see /offline/)

No mandatory telemetry

No analytics, trackers, pixels, or third-party JS in the web UI. Product telemetry is disabled by default and strictly opt-in.

Privacy details: /privacy/