Skip to content

Security: Gh0s777tt/E-OS

Security

SECURITY.md

๐Ÿ” Security Policy

E-OS takes security seriously โ€” it's an operating system. Thank you for helping keep it and its users safe.

๐Ÿ“ฆ Supported versions

Version Supported
0.1.x (Genesis) โœ…
main (rolling) โœ… latest fixes
lts/0.1 (LTS line) โœ… extended-support backports
eos-base (checkpoint) โœ…
Legacy 2019 mirror (master, 0.4.1) โŒ archived, unsupported

Because E-OS is pre-1.0 (alpha), main carries the latest security fixes; the lts/0.1 branch tracks the 0.1 โ€œGenesisโ€ line and receives security backports for an extended window, so a deployment can pin to a stable line instead of rolling main.

๐Ÿšจ Reporting a vulnerability

Please do not open a public issue, PR, or discussion for security bugs.

Report privately via one of:

  1. GitHub Security Advisories โ€” Security โ†’ Report a vulnerability (preferred): https://github.com/Gh0s777tt/E-OS/security/advisories/new
  2. Email the maintainer: dzierzawskii98.dam@gmail.com (subject prefix [E-OS SECURITY]; PGP key on request).

Please include: affected component/commit, impact, reproduction steps, and any PoC. We aim to:

Stage Target
Acknowledge report โ‰ค 72 h
Initial assessment โ‰ค 7 days
Fix / mitigation plan โ‰ค 30 days (severity-dependent)
Coordinated disclosure by mutual agreement

We support coordinated disclosure and will credit reporters (opt-in).

๐ŸŽฏ Scope

In scope: the E-OS kernel, relibc, RedoxFS, drivers, build/cookbook tooling, release artifacts, and this repository's CI/CD.

Upstream: vulnerabilities inherited from Redox OS or third-party crates should also be reported to the relevant upstream. We will help coordinate.

Out of scope: issues only affecting the archived 2019 mirror; volumetric DoS; social engineering; findings without a security impact.

๐Ÿงญ Threat model, hardening & encryption

E-OS's OS-level security posture is documented in:

  • Threat model โ€” assets, trust boundaries, adversaries, and the mitigations the microkernel + capability-scheme design provides (with honest non-goals for a pre-1.0 system).
  • Hardening guide โ€” a practical, impact-ordered checklist (change default credentials, encrypt the disk, minimize packages, verify downloads).
  • Disk encryption โ€” RedoxFS AES-XTS-128 full-disk encryption: installing, building and booting an encrypted E-OS root.

๐Ÿ›ก๏ธ How we harden this repository

  • ๐Ÿ”‘ Secret scanning + push protection and gitleaks in CI โ€” credentials never land in history.
  • ๐Ÿค– Dependabot (dependencies) and CodeQL (code scanning).
  • ๐Ÿ‘ฎ Branch protection on the default branch; CODEOWNERS review required.
  • โœ๏ธ Signed commits encouraged; releases publish SHA256SUMS + a CycloneDX SBOM, with the checksums minisign-signed in CI when a key is configured (see ROADMAP R-301/R-302).
  • โš–๏ธ AGPL-3.0 โ€” modifications, including networked use, must be shared.

See docs/security.md for the contributor security guide.

There aren't any published security advisories