| Version | Supported |
|---|---|
| 0.3.x | YES |
Only the latest minor version is actively maintained for security updates. Users are encouraged to update to the latest release.
The security of hardn is taken seriously. As a tool designed to enhance Linux system security, the integrity and security of hardn itself is paramount.
If you discover a security vulnerability, please send a detailed report to:
Email: 641138+abbott@users.noreply.github.com
Please DO NOT create a public GitHub issue for security vulnerabilities.
When reporting a vulnerability, please include:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fixes if available
Here's what you can expect after reporting:
- Acknowledgment: You will receive an acknowledgment of your report within 48 hours.
- Assessment: The vulnerability will be verified and assessed for severity.
- Fix Development: If validated, a fix will be developed as quickly as possible.
- Release: A security patch will be released, and the fix will be mentioned in release notes without detailing the vulnerability until users have had time to update.
- Public Disclosure: After a reasonable period for users to update, details may be publicly disclosed.
As hardn is a solo-maintained project, there is currently no formal bug bounty program at this time. However, significant security contributions will be acknowledged in the project's README and release notes.
hardn employs several security features:
- SLSA Level 3 Compliance: All releases follow Supply-chain Levels for Software Artifacts (SLSA) Level 3 requirements.
- Sigstore Artifact Signing: All binaries are cryptographically signed and verifiable.
- Tamper Protection: Binaries include provenance attestation.
- Transparency: Build processes are fully documented in the provenance.
Users are encouraged to verify signatures and provenance of all hardn releases using the provided verification tools.
Security updates will be announced through:
- GitHub releases
- Commit messages with the
security:prefix hardnCLI and CLI menu header when the binay is run locally
hardn aims to maintain minimal dependencies to reduce attack surface. All dependencies are regularly reviewed and updated.
Last updated: March 2025