Stella Ops – Signed Reachability · Deterministic Replay

Reporting a vulnerability 🔒

Email our Vulnerability Response Team at security@stella‑ops.org (PGP fingerprint 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723).

Please include:

Description and potential impact
Reproduction steps or PoC
Relevant logs / screenshots
Your preferred disclosure timeline

We acknowledge within 72 h and keep you informed until a fix is published.

Authenticity marks 🔏

Cosign provenance + SPDX SBOM: every image and Offline Kit ships with a DSSE bundle referencing the exact Git tag.
PGP signatures: advisories, release notes, and security mail are signed with fingerprint 9BCF 5D1D 6EA9 8F99 24F4 6071 B618 ABAF 7D23 C65D 7A86 77E8 2DE3 7815 6126 F723.
Sovereign crypto support: optional SM2/SM3 or other state-approved providers sign the same manifests when required by law.

Existing safeguards ✅

Layer	Measure
Release integrity	Cosign-signed artefacts, DSSE replay manifests, and reproducible SBOMs
Access logs	Stored 7 days, then `ip → sha256(ip)`
JWT quota ledger	Stores token‑ID hash + daily counter; no email/IP
Soft throttle	At 90% daily scan quota the CLI displays a reminder; at 333 scans/day requests slow but never fail
Regional crypto	Pluggable TLS/signing providers (e.g. SM2/SM3, GOST) with the same DSSE + Cosign trail
Container hardening	Non‑root UID, cgroup CPU/RAM limits, SELinux/AppArmor
Air‑gap ready	See Offline Kit

Zero‑telemetry promise 📉

No analytics, trackers, or third‑party JS in the web UI.
Access logs rotate at seven days; no profiling or fingerprinting.
Supplying a free JWT (333 scans/day) does not introduce extra tracking.

Hall of Thanks 🏆

Researchers following this process can be credited in release notes (opt‑in, naturally).

Security Policy & Responsible Disclosure

Reporting a vulnerability 🔒

Authenticity marks 🔏

Existing safeguards ✅

Zero‑telemetry promise 📉

Hall of Thanks 🏆