We take security seriously for all components of the Spacecraft VMS. Currently supported versions:
| Version | Supported |
|---|---|
| main | ✅ |
| develop | ✅ |
IMPORTANT: Do not report security vulnerabilities through public GitHub issues.
For mission-critical and safety-related vulnerabilities, please follow this process:
If you discover a vulnerability that could:
- Compromise spacecraft safety
- Lead to mission failure
- Expose sensitive mission data
- Allow unauthorized access to spacecraft systems
Please report immediately via:
- Email: security@spacecraft-vms.org (if available)
- Private GitHub Security Advisory
- Direct message to maintainers
For other security concerns:
- Use GitHub's private vulnerability reporting
- Provide detailed reproduction steps
- Include potential impact assessment
- Critical vulnerabilities: Response within 24 hours
- High severity: Response within 72 hours
- Medium/Low severity: Response within 1 week
- Remote code execution
- Privilege escalation in flight software
- Safety system bypass
- Mission data exposure
- Local privilege escalation
- Information disclosure
- Denial of service affecting critical systems
- Cross-site scripting in ground tools
- Information leakage (non-critical)
- Local denial of service
- Minor information disclosure
- Non-exploitable bugs with security implications
- Static analysis integrated in CI/CD
- Dependency vulnerability scanning
- Code review required for all changes
- Automated security testing
- Secure boot implementation
- Encrypted communications
- Access control and authentication
- Regular security updates
- Runtime security monitoring
- Anomaly detection
- Security event logging
- Incident response procedures
- Use secure coding practices
- Validate all inputs
- Handle errors securely
- Avoid hardcoded secrets
- Use parameterized queries
- Implement proper authentication
- Keep systems updated
- Use strong authentication
- Monitor security logs
- Follow principle of least privilege
- Regular security assessments
We believe in coordinated vulnerability disclosure:
- Report the vulnerability privately
- Allow reasonable time for fixes
- Coordinate public disclosure timing
- Credit security researchers appropriately
We use these tools for security assurance:
- Static Analysis: CodeQL, Semgrep, cppcheck
- Dependency Scanning: Dependabot, Trivy
- Runtime Protection: AddressSanitizer, Valgrind
- Fuzzing: AFL++, libFuzzer
For security-related questions or concerns:
- Security team: security@spacecraft-vms.org
- Maintainer: @hkevin01
Thank you for helping keep Spacecraft VMS secure!