E-OS takes security seriously โ it's an operating system. Thank you for helping keep it and its users safe.
| Version | Supported |
|---|---|
0.1.x (Genesis) |
โ |
main (rolling) |
โ latest fixes |
lts/0.1 (LTS line) |
โ extended-support backports |
eos-base (checkpoint) |
โ |
Legacy 2019 mirror (master, 0.4.1) |
โ archived, unsupported |
Because E-OS is pre-1.0 (alpha), main carries the latest security fixes; the
lts/0.1 branch tracks the 0.1 โGenesisโ line and receives security
backports for an extended window, so a deployment can pin to a stable line
instead of rolling main.
Please do not open a public issue, PR, or discussion for security bugs.
Report privately via one of:
- GitHub Security Advisories โ Security โ Report a vulnerability (preferred): https://github.com/Gh0s777tt/E-OS/security/advisories/new
- Email the maintainer:
dzierzawskii98.dam@gmail.com(subject prefix[E-OS SECURITY]; PGP key on request).
Please include: affected component/commit, impact, reproduction steps, and any PoC. We aim to:
| Stage | Target |
|---|---|
| Acknowledge report | โค 72 h |
| Initial assessment | โค 7 days |
| Fix / mitigation plan | โค 30 days (severity-dependent) |
| Coordinated disclosure | by mutual agreement |
We support coordinated disclosure and will credit reporters (opt-in).
In scope: the E-OS kernel, relibc, RedoxFS, drivers, build/cookbook tooling, release artifacts, and this repository's CI/CD.
Upstream: vulnerabilities inherited from Redox OS or third-party crates should also be reported to the relevant upstream. We will help coordinate.
Out of scope: issues only affecting the archived 2019 mirror; volumetric DoS; social engineering; findings without a security impact.
E-OS's OS-level security posture is documented in:
- Threat model โ assets, trust boundaries, adversaries, and the mitigations the microkernel + capability-scheme design provides (with honest non-goals for a pre-1.0 system).
- Hardening guide โ a practical, impact-ordered checklist (change default credentials, encrypt the disk, minimize packages, verify downloads).
- Disk encryption โ RedoxFS AES-XTS-128 full-disk encryption: installing, building and booting an encrypted E-OS root.
- ๐ Secret scanning + push protection and gitleaks in CI โ credentials never land in history.
- ๐ค Dependabot (dependencies) and CodeQL (code scanning).
- ๐ฎ Branch protection on the default branch; CODEOWNERS review required.
- โ๏ธ Signed commits encouraged; releases publish SHA256SUMS + a CycloneDX
SBOM, with the checksums minisign-signed in CI when a key is configured
(see ROADMAP
R-301/R-302). - โ๏ธ AGPL-3.0 โ modifications, including networked use, must be shared.
See docs/security.md for the contributor security guide.