| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in Urule, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead:
- Email the maintainers directly with details of the vulnerability
- Include steps to reproduce the issue
- Include the potential impact
We will acknowledge receipt within 48 hours and provide a timeline for a fix.
Urule implements the following security measures:
- JWT Authentication — All services validate Keycloak-issued JWTs via JWKS (
@urule/auth-middleware) - Input Validation — All POST/PATCH routes validate with Zod schemas
- CORS Lockdown — Configurable origin whitelist (not
origin: *) - Rate Limiting —
@fastify/rate-limiton all services (100 req/min, 30 for AI chat) - Audit Logging — Sensitive operations logged with actor identity
- Config Validation — Required environment variables checked at startup
- Graceful Shutdown — SIGTERM handlers close connections properly
- Schema-per-Service — No cross-service database access
See ROADMAP.md Section 1 (Security) for completed and remaining security items.
We follow a 90-day responsible disclosure policy. After a vulnerability is reported and confirmed, we will:
- Develop and test a fix
- Release a patched version
- Publish a security advisory on GitHub
- Credit the reporter (unless they prefer anonymity)