We actively support the following versions with security updates:

We take security seriously. If you discover a security vulnerability, please follow responsible disclosure practices:

• Open a public issue
• Post in discussions
• Share details publicly before patch is released

1. Email Security Team: [email protected] (or through GitHub Security Advisory)
2. Provide Details:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
   • Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 5 business days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-14 days
  • Medium: 14-30 days
  • Low: 30-90 days

1. Vulnerability reported and confirmed
2. Patch developed and tested
3. Security advisory drafted
4. Patch released
5. Public disclosure (coordinated)

We follow a 90-day disclosure timeline unless:

• Critical vulnerabilities (faster)
• Coordination with other projects needed
• Exceptional circumstances

When using FARP:

// Always validate and authenticate service registrations
registry.RegisterManifest(ctx, manifest, WithAuth(token))

// Implement authorization checks
if !isAuthorized(ctx, service) {
    return ErrUnauthorized
}

// Validate all schema manifests
if err := manifest.Validate(); err != nil {
    return fmt.Errorf("invalid manifest: %w", err)
}

// Sanitize URLs and paths
cleanURL := sanitizeURL(schemaLocation.URL)

• Use TLS/HTTPS for all schema URLs
• Verify TLS certificates
• Use mTLS for service-to-gateway communication
• Encrypt sensitive data at rest and in transit

// Verify schema checksums
manifest.Schemas[0].Checksum = &SchemaChecksum{
    Algorithm: "sha256",
    Value:     computeSHA256(schemaContent),
}

// Validate before use
if !manifest.VerifyChecksum(schemaContent) {
    return ErrChecksumMismatch
}

// Implement rate limiting for registrations
limiter := rate.NewLimiter(rate.Limit(10), 100)
if !limiter.Allow() {
    return ErrRateLimitExceeded
}

• Restrict registry access to authorized services
• Use network policies/firewalls
• Implement RBAC for multi-tenant scenarios
• Audit all registration and query operations

// Never log sensitive data
logger.Info("registration", 
    "service", manifest.ServiceName,
    // DO NOT log tokens, keys, passwords
)

// Use secret management systems
token := os.Getenv("FARP_TOKEN")
if token == "" {
    // Fetch from secrets manager
    token = fetchFromVault(ctx, "farp/token")
}

• Limit manifest size (e.g., 10MB max)
• Implement request timeouts
• Use circuit breakers
• Monitor resource usage

// Limit manifest size
if len(manifestBytes) > MaxManifestSize {
    return ErrManifestTooLarge
}

// Timeout contexts
ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
defer cancel()

• Keep dependencies up to date
• Monitor security advisories
• Use Dependabot (already configured)
• Run security scanners (Gosec, Semgrep)

// Don't leak sensitive information in errors
if err != nil {
    logger.Error("registration failed",
        "service", manifest.ServiceName,
        "error", err)
    // Return generic error to client
    return ErrRegistrationFailed
}

When using HTTP-based schema locations:

• Risk: Man-in-the-middle attacks
• Mitigation: Always use HTTPS with certificate validation
• Alternative: Use inline schemas for sensitive services

When using mDNS for local discovery:

• Risk: Broadcast information visible on network
• Mitigation: Use on trusted networks only
• Alternative: Use encrypted service discovery backends (Consul with TLS)

Schemas may contain sensitive information:

• Risk: API structure exposure
• Mitigation: Use access control on schema endpoints
• Best Practice: Separate public and internal schemas

We run multiple security checks:

• Gosec: Go security scanner
• CodeQL: Semantic code analysis
• Dependency scanning: Dependabot and Snyk
• SAST: Static analysis in CI
• Fuzzing: For critical parsers (future)

Security patches are released as:

• Patch versions (e.g., 1.2.4)
• Tagged with security label
• Announced via GitHub Security Advisories
• Documented in CHANGELOG.md

Subscribe to releases and advisories:

• Watch this repository
• Enable security alerts
• Subscribe to GitHub Security Advisories

FARP is designed to work in regulated environments:

• No data collection: FARP doesn't collect or transmit telemetry
• Audit trails: Enable comprehensive logging
• Encryption: Support for encrypted storage backends
• Access control: Pluggable authentication/authorization

For security-related questions (non-vulnerability):

• Open a discussion on GitHub
• Email: [email protected]

Last Updated: 2025-11-01
Security Policy Version: 1.0