Security Policy#
Supported Versions#
The latest tag on ghcr.io/projectbluefin/dakota always reflects the
current supported release. Older builds identified by their commit SHA are
not actively maintained for security updates.
Reporting a Vulnerability#
Please do not open a public GitHub issue for security vulnerabilities.
Report security vulnerabilities privately via GitHub's Security Advisory
feature (projectbluefin/dakota → Security → Advisories → New draft advisory)
Or contact the maintainers by email at:
Disclosure Policy#
We follow coordinated vulnerability disclosure:
- You report the vulnerability privately using one of the channels above.
- We acknowledge receipt within 5 business days.
- We investigate and work on a fix, keeping you informed of progress.
- We aim to release a fix within 30 days of confirmation.
- For complex issues requiring upstream coordination, the timeline may
extend to 90 days. We will notify you if this is the case. - We publicly disclose the vulnerability after a fix is available, or
after the agreed-upon disclosure deadline has passed.
We credit reporters in release notes unless you prefer to remain anonymous.
Supply Chain Security#
Dakota images are signed with keyless OIDC signatures via Sigstore/cosign,
include a BuildStream SPDX SBOM attached as an OCI referrer, and carry a
SLSA build provenance attestation generated by actions/attest-build-provenance.
Verify the image signature:
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/projectbluefin/dakota/.github/workflows/publish.yml@refs/heads/main$' \
ghcr.io/projectbluefin/dakota:stable
Verify the SLSA provenance:
cosign verify-attestation \
--type https://slsa.dev/provenance/v1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/projectbluefin/dakota/.github/workflows/publish.yml@refs/heads/main$' \
ghcr.io/projectbluefin/dakota:stable
