| Version | Supported |
|---|---|
| 1.1.x (Q-GRID Comply) | Yes |
| 1.0.x (OpenWork) | Security fixes only |
| < 1.0 | No |
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report vulnerabilities via one of these channels:
- Email: security@taurusai.io
- GitHub Security Advisory: Create a private advisory
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development | Within 30 days for critical issues |
| Public disclosure | After fix is deployed |
This project follows security best practices:
- Post-Quantum Cryptography: ML-DSA (FIPS 204) and ML-KEM (FIPS 203)
- NIST PQC Compliance: Following NIST post-quantum migration guidelines
- Dependency Scanning: Automated via Dependabot
- Code Review: All changes require review via CODEOWNERS
- Secret Management: No secrets in code; environment variables only
- Audit Trails: Immutable blockchain-anchored audit logs via Hedera HCS
The following are in scope for security reports:
packages/core/- SDK wrapper and authenticationpackages/api/- Backend API serverpackages/mcp-servers/- Hedera MCP toolsproducts/gridera/web/- Q-GRID Comply SaaS applicationproducts/gridera/src/crypto/- Cryptographic implementations
Out of scope:
- Third-party dependencies (report to upstream)
- Social engineering attacks
- Denial of service attacks