Security Policy

Supported Versions

The following versions of ITOps Agent Platform are currently supported with security updates:

Version	Supported
3.0.x	✅
< 3.0	❌

We take the security of ITOps Agent Platform seriously. If you discover a security vulnerability, please follow these steps:

Public disclosure of security vulnerabilities could put users at risk before a fix is available.

Acknowledgment: We will acknowledge receipt of your report within 48 hours
Assessment: We will assess the vulnerability and determine its impact
Fix Timeline: We aim to release a fix within 30 days for critical vulnerabilities
Credit: We will credit you in the release notes (unless you prefer to remain anonymous)

When deploying ITOps Agent Platform in production, please ensure:

JWT Secret: Set a strong, random JWT_SECRET in your .env file
Webhook Security: Enable WEBHOOK_VERIFY_ENABLED and configure WEBHOOK_SECRET
IP Whitelisting: Configure WEBHOOK_IP_WHITELIST to restrict webhook sources
Password Policy: Change the default admin password immediately after first login
HTTPS: Use HTTPS in production with proper TLS certificates
Network Isolation: Run the application in a private network when possible
Regular Updates: Keep the application updated to the latest version

The platform includes the following security measures:

AES-256-GCM Encryption: Server passwords and SSH keys are encrypted at rest
JWT Authentication: Dual token mechanism with automatic refresh and blacklist
Login Throttling: Account lockout after 5 failed login attempts
Rate Limiting: API endpoints are rate-limited to prevent abuse
Audit Logging: All operations are logged for traceability
Input Validation: Request validation using Zod schemas
XSS Protection: Frontend sanitizes user input and HTML output
CORS Control: Configurable allowed origins
Non-root Container: Docker containers run as non-root user

Security advisories will be published on the GitHub Security Advisories page.

Thank you for helping keep ITOps Agent Platform and its users safe!