Security
Responsible disclosure.
Signed patches.
OSSeva takes security seriously on both sides of the equation — we receive responsible disclosures from researchers, and we deliver cryptographically signed patch builds that customers can verify independently.
Reporting a vulnerability
security@osseva.io
Email us with a description of the vulnerability, affected component, reproduction steps, and your impact assessment. Encrypt sensitive reports using the PGP key below.
- Initial acknowledgmentWithin 24 hours
- Triage and severityWithin 72 hours
- Remediation timelineWithin 7 business days
Safe harbor
OSSeva will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following this disclosure policy. We ask that you avoid accessing customer data, degrading service availability, or publicly disclosing before we have had a reasonable opportunity to remediate.
In scope
- osseva.io web application and associated subdomains
- OSSeva patch delivery infrastructure and build pipeline
- Authentication and access control mechanisms
- CVE disclosure and advisory systems
- Any OSSeva-supported runtime with a newly identified vulnerability
Out of scope
- Denial-of-service (DoS/DDoS) attacks
- Social engineering or phishing against OSSeva employees
- Third-party services or infrastructure not operated by OSSeva
- Issues requiring physical access to our systems
- Vulnerabilities in open-source projects themselves (report to their upstream maintainers)
Patch build signing
Every OSSeva patch build is cryptographically signed. Customers can independently verify that binaries came from OSSeva and have not been tampered with in transit or at rest.
# Key ID
B7C4E831
# Fingerprint
E8A1 3F92 D4B7 C401 8E35 F067 A293 B84C E7C4 E831
# Verify a Maven artifact
gpg --recv-keys B7C4E831
gpg --verify osseva-rabbitmq-3.13.7-patch.jar.asc
# Verify a container image
cosign verify
--certificate-identity-regexp=".*@osseva.io"
ghcr.io/osseva/rabbitmq:3.13.7-patch
SHA-256 checksums for all binary releases are provided alongside each patch delivery and in our customer portal. Each customer receives a signed attestation document confirming the expected hash before deployment.
CVE disclosure timeline
Send to security@osseva.io. Include CVE ID or description, affected component, reproduction steps, and impact assessment if known.
We acknowledge receipt and assign a tracking ID.
OSSeva engineers assess CVSS score, affected versions, and exploitability.
Affected customers are notified for CVSS ≥ 7.0 vulnerabilities.
Signed patch builds delivered to customers with attestation documentation.
We publish a public CVE entry in our vulnerability directory.
Frequently asked questions
What is the OSSeva security disclosure email?
Report vulnerabilities to security@osseva.io. Encrypt sensitive reports using the OSSeva PGP public key (Key ID B7C4E831). We acknowledge all reports within 24 hours.
Does OSSeva pay bug bounties?
OSSeva does not currently operate a formal paid bug bounty program. We do recognize researchers publicly (with permission) in our CVE directory for confirmed, responsibly disclosed vulnerabilities, and we consider the value of each submission when evaluating recognition.
How can I verify that an OSSeva patch binary is genuine?
Verify GPG signature: gpg --recv-keys B7C4E831 then gpg --verify <artifact>.asc. Verify container images: cosign verify --certificate-identity-regexp='.*@osseva.io' ghcr.io/osseva/<image>:<tag>. SHA-256 checksums are provided with every release.
What should I include when reporting a vulnerability?
Include: the affected component and version, a description of the vulnerability and how it can be triggered, the impact (what an attacker could do), a CVSS score estimate if possible, and any proof-of-concept code or reproduction steps. Partial reports are still welcome — we will work with you to complete the assessment.
Found something? Report it.
We take every report seriously. Reach out to security@osseva.io or book a call if you have questions about our security posture.