- Security Commitment
- Supported Versions
- Reporting Security Vulnerabilities
- Security Response Process
- Security Standards and Compliance
- Development Security Practices
- Dependency Management
- Access Control and Authentication
- Data Protection
- Infrastructure Security
- Incident Response
- Security Training and Awareness
- Third-Party Security
- Security Metrics and Monitoring
At Globomantics, security is our highest priority. We are committed to:
- Protecting our customers' data and maintaining their trust
- Following industry-leading security practices and standards
- Continuous improvement of our security posture
- Transparency in our security processes
- Rapid response to security incidents
We provide security updates for the following versions:
| Version | Support Status | Security Updates | End of Life |
|---|---|---|---|
| 5.x.x | ✅ Active | ✅ Yes | Dec 2026 |
| 4.x.x | ✅ Yes | Jun 2026 | |
| 3.x.x | ❌ EOL | ❌ No | Dec 2024 |
| < 3.0 | ❌ EOL | ❌ No | Jan 2024 |
DO NOT report security vulnerabilities through public GitHub issues.
Please report security vulnerabilities through one of these channels:
-
GitHub Security Advisories (Preferred)
- Navigate to Security → Advisories → New draft advisory
- Provide detailed information about the vulnerability
- Our security team will respond within 24 hours
-
Email
- Send reports to: security@globomantics.com
- Use our PGP key: Download PGP Key
- Include "SECURITY" in the subject line
-
Bug Bounty Program
- Submit through: https://bugbounty.globomantics.com
- Review scope and rewards: https://bugbounty.globomantics.com/scope
Please provide:
- Vulnerability type (e.g., XSS, SQL Injection, RCE)
- Affected components and versions
- Steps to reproduce
- Proof of concept (if available)
- Impact assessment
- Suggested remediation (optional)
- Initial Response: Within 24 hours
- Triage and Assessment: Within 72 hours
- Regular Updates: Every 72 hours until resolution
- Credit: Security researchers will be credited (unless anonymity is requested)
| Severity | CVSS Score | Response Time | Example |
|---|---|---|---|
| Critical | 9.0-10.0 | 4 hours | RCE, Auth bypass |
| High | 7.0-8.9 | 24 hours | Privilege escalation |
| Medium | 4.0-6.9 | 7 days | XSS, Information disclosure |
| Low | 0.1-3.9 | 30 days | Minor info leaks |
- Triage: Security team validates and assesses severity
- Containment: Immediate mitigation if critical
- Investigation: Root cause analysis
- Remediation: Develop and test patches
- Release: Coordinated disclosure and patch release
- Post-Mortem: Learning and process improvement
- SOC 2 Type II: Annual audit (latest: Jan 2026)
- ISO 27001: Certified (Certificate #: ISO27001-2024-1234)
- PCI DSS Level 1: For payment processing components
- GDPR/CCPA: Full compliance with privacy regulations
We follow:
- NIST Cybersecurity Framework
- OWASP Top 10 mitigation strategies
- CIS Controls v8
- Zero Trust Architecture principles
-
Threat Modeling
- STRIDE methodology for all new features
- Architecture review for major changes
- Security champions in each team
-
Secure Coding Standards
- Language-specific guidelines (JavaScript, Python, Go)
- Input validation and output encoding
- Cryptography standards (no custom crypto)
- Secrets management via HashiCorp Vault
-
Code Review Requirements
- Mandatory peer review for all changes
- Security-focused review for sensitive components
- Automated security checks via GitHub Advanced Security
-
Security Testing
- Static Application Security Testing (SAST): CodeQL, Semgrep
- Dynamic Application Security Testing (DAST): OWASP ZAP
- Software Composition Analysis (SCA): Dependabot, Snyk
- Container scanning: Trivy, Docker Scout
- Infrastructure as Code scanning: Checkov, tfsec
# Example security pipeline stages
stages:
- secrets-scanning # Detect leaked credentials
- dependency-check # Vulnerable dependencies
- sast-scan # Static code analysis
- container-scan # Image vulnerabilities
- license-compliance # OSS license checks
- security-gates # Block on critical findings- SBOM Generation: Automated for all releases (SPDX/CycloneDX)
- Dependency Review: All updates reviewed by security team
- Private Registry: Internal npm/PyPI/Docker registries
- Signed Commits: GPG signing required for all commits
- Artifact Signing: Cosign for container images
-
SLA for Patches:
- Critical: 24 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
-
Automated Updates: Dependabot with auto-merge for patches
-
License Scanning: Automated compliance checks
-
Dependency Pinning: Lock files required
- Single Sign-On (SSO): SAML 2.0 / OAuth 2.0 / OIDC
- Multi-Factor Authentication: Required for all accounts
- Privileged Access Management: CyberArk for admin access
- Just-In-Time Access: Temporary elevation via PIM
- Role-Based Access Control (RBAC): Granular permissions
- Principle of Least Privilege: Default deny
- Regular Access Reviews: Quarterly certification
- API Security: OAuth 2.0 with scopes
- At Rest: AES-256-GCM
- In Transit: TLS 1.3 minimum
- Key Management: AWS KMS / Azure Key Vault
- Database Encryption: Transparent Data Encryption (TDE)
| Level | Description | Controls |
|---|---|---|
| Secret | API keys, passwords | Vault storage, audit logging |
| Confidential | PII, financial data | Encryption, access controls |
| Internal | Business data | Standard controls |
| Public | Marketing content | Basic controls |
- Data Minimization: Collect only necessary data
- Right to Erasure: Automated GDPR compliance
- Data Retention: Defined policies per data type
- Cross-Border Transfer: Standard Contractual Clauses
- Multi-Cloud Strategy: AWS, Azure, GCP
- Infrastructure as Code: Terraform with policy as code
- Network Segmentation: Zero Trust networking
- WAF Protection: AWS WAF / Cloudflare
# Security-hardened base image
FROM cgr.dev/chainguard/node:latest
# Non-root user
USER node
# Security headers
ENV NODE_ENV=production
# Health checks
HEALTHCHECK --interval=30s --timeout=3s \
CMD node healthcheck.js || exit 1- SIEM: Splunk Enterprise Security
- Log Aggregation: ELK Stack with encryption
- Threat Detection: CrowdStrike Falcon
- Security Metrics: Custom dashboards
- 24/7 Security Operations Center (SOC)
- Incident Commander rotation
- Defined escalation paths
- External IR retainer: CrowdStrike
- Data Breach Response
- Ransomware Response
- DDoS Mitigation
- Supply Chain Compromise
- Insider Threat
- Internal: Slack #security-incidents
- Customer: Status page and email
- Regulatory: Legal team coordination
- Public: Coordinated disclosure
- Secure Coding: Quarterly workshops
- OWASP Top 10: Annual certification
- Security Champions: Advanced training program
- Capture The Flag: Monthly security challenges
- Security Awareness: Monthly modules
- Phishing Simulation: Bi-weekly tests
- Incident Reporting: Clear procedures
- Security Culture: Gamification and rewards
- Security Questionnaires: Standardized assessment
- Proof of Compliance: SOC 2/ISO required
- Continuous Monitoring: SecurityScorecard
- Contract Requirements: Security addendums
- License Compliance: Automated scanning
- Vulnerability Scanning: Daily checks
- Contribution Policy: Security review required
- Fork Management: Regular upstream syncs
| Metric | Target | Current |
|---|---|---|
| Mean Time to Detect (MTTD) | < 1 hour | 45 min |
| Mean Time to Respond (MTTR) | < 4 hours | 3.2 hours |
| Patch Compliance | > 95% | 97% |
| Security Training Completion | 100% | 98% |
| Phishing Click Rate | < 5% | 3.2% |
Real-time visibility at: https://security.globomantics.com/dashboard
- Vulnerability trends
- Compliance status
- Incident metrics
- Training progress
- Third-party risk scores
- Security Team Email: security@globomantics.com
- Security Hotline: +1-800-GLOB-SEC (24/7)
- Bug Bounty: https://bugbounty.globomantics.com
- Security Blog: https://security.globomantics.com/blog
- Status Page: https://status.globomantics.com
We thank the security research community for their contributions:
Last Updated: January 2026
Next Review: April 2026
Policy Version: 3.2.0