The OpenFGA Operator team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@openfga.dev

Include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

• Initial Response: We will acknowledge receipt of your vulnerability report within 24 hours
• Assessment: We will provide an initial assessment of the vulnerability within 72 hours
• Resolution: We aim to resolve critical vulnerabilities within 7 days, high severity within 30 days
• Disclosure: We will coordinate with you on public disclosure timing after the vulnerability is fixed

This security policy applies to:

• The OpenFGA Operator codebase
• Official container images
• Documentation and examples
• Associated infrastructure and deployment manifests

The OpenFGA Operator implements multiple security layers:

• Validates all OpenFGA custom resources before deployment
• Enforces security policies and compliance requirements
• Prevents deployment of unsigned or vulnerable container images
• Validates resource configurations against security best practices

• Requires GPG-signed commits from authenticated developers
• Implements multi-factor authentication for sensitive operations
• Validates developer certificates and permissions
• Maintains comprehensive audit logs of all development activities

• Mandatory vulnerability scanning for all container images
• Signature verification for container images
• Runtime security monitoring and anomaly detection
• Secure-by-default container configurations

• TLS encryption for all communications
• Network policies for traffic segmentation
• Service mesh integration for advanced security controls
• Zero-trust network architecture

We provide security updates for the following versions:

When deploying the OpenFGA Operator, follow these security best practices:

1. Use Latest Version: Always deploy the latest supported version
2. Network Policies: Implement Kubernetes network policies
3. RBAC: Use least-privilege RBAC configurations
4. Secrets Management: Use Kubernetes secrets or external secret management
5. Image Security: Only use signed, scanned container images

1. Security Contexts: Use restrictive security contexts
2. Resource Limits: Set appropriate resource limits
3. Admission Controllers: Enable and configure admission controllers
4. Monitoring: Implement comprehensive security monitoring

1. Regular Updates: Keep the operator and dependencies updated
2. Security Scanning: Regularly scan for vulnerabilities
3. Audit Logging: Enable comprehensive audit logging
4. Incident Response: Have an incident response plan ready

The OpenFGA Operator implements defense-in-depth security:

┌─────────────────────────────────────────┐
│           Network Security              │
│  ┌───────────────────────────────────┐  │
│  │        Admission Control          │  │
│  │  ┌─────────────────────────────┐  │  │
│  │  │     Container Security      │  │  │
│  │  │  ┌───────────────────────┐  │  │  │
│  │  │  │   OpenFGA Operator    │  │  │  │
│  │  │  │                       │  │  │  │
│  │  │  └───────────────────────┘  │  │  │
│  │  └─────────────────────────────┘  │  │
│  └───────────────────────────────────┘  │
└─────────────────────────────────────────┘

The OpenFGA Operator is designed to help meet various compliance requirements:

• SOC 2 Type II: Security, availability, and confidentiality controls
• ISO 27001: Information security management systems
• NIST Cybersecurity Framework: Risk-based cybersecurity approach
• GDPR: Data protection and privacy (where applicable)
• HIPAA: Healthcare information protection (with proper configuration)

• General Security: security@openfga.dev
• Security Team Lead: security-lead@openfga.dev
• Incident Response: incident-response@openfga.dev
• Compliance: compliance@openfga.dev

Our security team's GPG keys for encrypted communications:

Security Team GPG Key
Key ID: 0x1234567890ABCDEF
Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678

• Security Architecture
• Security Policy
• Incident Response Plan
• Product Security Roadmap

We appreciate the security research community's efforts in helping keep our software secure. Security researchers who responsibly disclose vulnerabilities will be:

1. Acknowledged in our security advisories (with permission)
2. Listed in our Hall of Fame (with permission)
3. Eligible for our security bug bounty program (when available)

• This security policy is subject to our Terms of Service
• By reporting vulnerabilities, you agree to our responsible disclosure terms
• We reserve the right to modify this policy at any time

Last Updated: January 2024
Version: 1.0
Contact: security@openfga.dev