The Proxmox Astronomy Lab is committed to maintaining high security standards across our infrastructure, code, and documentation. This document outlines our security policies, vulnerability reporting procedures, and security best practices.
We follow CISv8 Level 2 for Linux systems and CISv9 Level 1 for Windows systems, ensuring a robust security posture while maintaining operational efficiency.
We take all security vulnerabilities seriously. If you believe you've found a security vulnerability in our project, please follow these steps:
- Do NOT disclose the vulnerability publicly or on our public issue tracker
- Submit your report through one of these channels:
- Email: security@beardinthe.cloud (preferred method)
- Private message to project maintainers on our communication platforms
Please include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested mitigation (if available)
- Whether you want to be credited for the discovery
After submitting a vulnerability report:
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: Our security team will assess the vulnerability
- Updates: We will provide updates on our progress
- Resolution: Once resolved, we will notify you and implement changes
- Disclosure: We will coordinate responsible disclosure if applicable
Our project adheres to the following security standards:
| System Type | Security Standard | Implementation |
|---|---|---|
| Linux VMs | CISv8 Level 2 | Ansible-enforced hardening, daily security scans |
| Windows VMs | CISv9 Level 1 | Group Policy enforcement, regular security audits |
| Network | Zero Trust principles | VLAN segmentation, strict access controls |
| Authentication | Passwordless MFA | Entra ID with conditional access policies |
| Docker/Containers | CIS Docker Benchmark | Security scanning, minimal base images |
Contributors to the project are expected to:
- Follow secure coding practices appropriate for the language/platform
- Never commit credentials or secrets to the repository
- Use approved dependency sources and keep dependencies updated
- Review code for security vulnerabilities before submission
- Follow the principle of least privilege in all implementations
- Wazuh SIEM: For security monitoring and threat detection
- RKHunter/CHKRootkit: For Linux rootkit detection
- Lynis: For Linux security auditing
- OSQuery: For cross-platform visibility
- CIS-CAT: For automated benchmark scanning
For contributors looking to improve their security knowledge:
Detailed security documentation is available in our repository:
We maintain the following schedule for security updates:
| Update Type | Timeframe | Notes |
|---|---|---|
| Critical Vulnerabilities | 48 hours | Immediate attention for severe threats |
| High Severity | 7 days | Prioritized for quick resolution |
| Medium Severity | 30 days | Scheduled with regular maintenance |
| Low Severity | 90 days | Addressed in quarterly updates |
Our security approach maps to multiple compliance frameworks:
- CIS Controls (primary framework)
- NIST 800-53 (mapped alignment)
- ISO 27001 (mapped alignment)
This multi-framework approach ensures comprehensive security coverage while maintaining practical operability.
We would like to thank the following individuals and organizations for their contributions to our security posture:
- CIS for their benchmark documentation
- The open-source security tool developers that make our security monitoring possible
- All security researchers who have responsibly disclosed vulnerabilities
This security policy is regularly reviewed and updated. Last update: 2025-03-19
The Proxmox Astronomy Lab is committed to continuous security improvement. We welcome feedback on this policy and our security practices.