Please do NOT report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in the APIC Vibe Portal, please report it responsibly:
- GitHub Security Advisories (preferred): Use GitHub Security Advisories to report vulnerabilities privately.
- Email: Send details to the repository maintainers via the contact information in the repository.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix for critical issues: Within 7 days
- Fix for high issues: Within 30 days
| Version | Supported |
|---|---|
Latest on main |
✅ |
| Previous releases | Best effort |
This project implements the following security controls:
- Authentication: Azure Entra ID (Azure AD) with OIDC
- Authorization: Role-Based Access Control (RBAC) with security trimming
- Secrets Management: Azure Key Vault with Managed Identity
- CI/CD Security: SAST (CodeQL), dependency scanning (Dependabot), container scanning (Trivy), secret scanning
- API Protection: Rate limiting, bot detection, input validation
- Infrastructure: Encryption at rest and in transit, network isolation
For detailed security documentation, see docs/security/.