We take the security of this project seriously. If you discover a security vulnerability, please help us responsibly disclose it.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

security@element84.com

Include the following information in your report:

• Description: A clear description of the vulnerability
• Impact: The potential impact of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Versions: Which versions of the project are affected
• Suggested Fix: If you have a suggested fix, please include it (optional)

• We will acknowledge receipt of your vulnerability report as soon as possible. We are a small team, so sometimes delays happen.
• We will provide a more detailed response after that indicating the next steps
• We will keep you informed of the progress toward a fix and announcement
• We will notify you when the vulnerability has been fixed

• Please give us a reasonable amount of time to fix the vulnerability before making any information public
• We request that you do not exploit the vulnerability or problem you have discovered
• We request that you do not reveal the problem to others until it has been resolved
• We will publicly acknowledge your responsible disclosure, if you wish (or can remain anonymous)
• Unfortunately, as a small team, we cannot offer bounties at this time.

If you're preparing to make your FilmDrop deployment repository public, ensure you:

1. Review Git History for Secrets

   # Scan entire repository history for secrets
   git log -p | grep -i "password\|secret\|key\|token\|credential"
   
   # Use gitleaks to scan history
   gitleaks detect --source . --verbose

2. Rotate Any Exposed Credentials

   • AWS access keys and secret keys
   • GitHub tokens or personal access tokens
   • Any API keys or service credentials
   • TLS/SSL certificates and private keys

3. Review IAM Permissions

   • Review the IAM role permissions in bootstrap/cloudformation/github-oidc-role.yaml
   • Ensure they align with your organization's least-privilege security requirements
   • Consider restricting permissions to only the services you actually use

1. Enable Pre-commit Hooks

   # Install pre-commit framework
   pip install pre-commit
   
   # Install the hooks
   pre-commit install
   
   # Test the hooks
   pre-commit run --all-files

   These hooks will automatically:

   • Detect private keys and AWS credentials
   • Scan for secrets using gitleaks
   • Validate Terraform syntax and formatting

2. Use OIDC for GitHub Actions

   • Never store long-lived AWS credentials in GitHub secrets
   • Use the OIDC configuration provided in bootstrap/cloudformation/github-oidc-role.yaml
   • Session credentials automatically expire after 2 hours

3. Secure Terraform Variable Files

   • Never commit files with actual sensitive values (.tfvars with real credentials)
   • Use template files with empty values or placeholders
   • Sensitive values should be:
     • Stored in GitHub repository secrets (for CI/CD)
     • Passed via environment variables (for local development)
     • Retrieved from AWS Secrets Manager or Parameter Store

4. Backend Configuration Security

   • Ensure S3 state buckets have:
     • Versioning enabled (for recovery)
     • Encryption enabled (AES256 or KMS)
     • Public access blocked
     • Secure transport required (HTTPS only)
   • Use DynamoDB table for state locking in multi-user environments
   • Never commit backend files with actual bucket names to public repos (use templates)

5. Branch Protection Rules

   • Enable branch protection on main branch
   • Require pull request reviews before merging
   • Require status checks to pass (pre-commit, terraform plan)
   • Consider requiring manual approval for terraform apply jobs

Local Development:

• Use named AWS CLI profiles instead of default credentials
• Configure profiles in ~/.aws/credentials (excluded from git)
• Use temporary credentials via aws sts assume-role when possible
• Enable MFA for AWS console access
• Rotate access keys regularly (every 90 days minimum)

CI/CD Pipeline:

• Use OIDC-based authentication (no static credentials)
• Set appropriate session durations (2 hours or less)
• Use environment-specific IAM roles (separate dev/staging/prod)
• Enable CloudTrail logging for audit trails
• Use separate AWS accounts per environment

The .gitignore file excludes common sensitive file patterns:

• *.tfvars.json, *secret*.tfvars, *private*.tfvars - Variable files with secrets
• .env* files - Environment configuration files
• *.pem, *.key, *.crt - Certificates and private keys
• SSH keys (id_rsa, id_dsa, etc.)
• AWS credential files

Always review files before committing to ensure no sensitive data is included.

This repository includes several security features:

• detect-private-key - Detects accidentally committed private keys
• detect-aws-credentials - Scans for AWS access keys and secrets
• gitleaks - Comprehensive secret scanning tool

• S3 bucket with encryption enabled
• Versioning for recovery and audit trails
• Public access completely blocked
• Secure transport enforced (HTTPS only)

• OIDC-based authentication (no stored credentials)
• Temporary session credentials (2-hour expiration)
• Terraform plan artifact integrity verification (SHA256 checksums)
• Plan age validation (48-hour maximum)
• Explicit permission scoping (id-token: write only where needed)

• IAM policy validation
• Security group rule checks
• Resource tagging enforcement
• Terraform best practices validation

We recommend always using the latest version of this template.

The default IAM role (bootstrap/cloudformation/github-oidc-role.yaml) grants broad permissions across multiple AWS services to support the full range of FilmDrop components.

Action Required: Review and restrict these permissions based on your actual usage and organizational security requirements. Consider:

• Removing services you don't use
• Adding resource-level restrictions where possible
• Implementing permission boundaries
• Using separate roles for different environments

The default IAM role session duration is 7200 seconds (2 hours). For enhanced security, consider reducing this to 3600 seconds (1 hour) if your deployment pipelines can complete within that timeframe.

For production use, we strongly recommend:

• Deploying each environment (dev/staging/prod) to separate AWS accounts
• Using AWS Organizations with Service Control Policies (SCPs)
• Implementing cross-account IAM roles with strict trust policies
• Enabling AWS CloudTrail in all accounts

• OWASP Top 10
• Terraform Security Best Practices
• AWS Security Best Practices
• GitHub Actions Security Hardening
• OpenID Connect in AWS

If you have questions about security practices or this security policy, please contact us at security@element84.com.