Wardengate

Security

Security disclosure policy

Wardengate sits on the path to our customers' most sensitive infrastructure. We take reports from the security community seriously, triage them quickly, and coordinate disclosure with fixed customers before we talk about findings publicly. This page describes how to reach us, what's in scope, and what you can expect in return.

How to report

Email security@wardengate.example with a description of the issue, steps to reproduce, affected version(s), and any proof-of-concept you're comfortable sharing. If the finding is sensitive, encrypt your report with our PGP key. You can expect a human acknowledgement within two business days.

Please do not file public issues on GitHub, open a support ticket, or post in community forums. Those channels are watched by customers and are not appropriate for pre-patch vulnerability details.

Scope

In scope for coordinated disclosure:

  • The Wardengate control plane, gateway, and target agent — all supported releases, on all supported platforms.
  • The wgctl CLI and the official client SDKs.
  • First-party container images published under ghcr.io/wardengate and the official Helm chart.
  • Marketing and documentation sites hosted under wardengate.example and its direct subdomains.

Out of scope:

  • Customer-hosted deployments — please coordinate with the operating organization first.
  • Denial-of-service findings that require disproportionate traffic, resource exhaustion of shared infrastructure, or physical attacks.
  • Social engineering of Wardengate staff, contractors, or customers.
  • Reports generated solely by automated scanners with no analyst-validated impact.

What to expect from us

  • An acknowledgement from a human within two business days.
  • A triage decision (accepted / duplicate / out of scope) within seven days, with reasoning.
  • Regular progress updates, on a cadence agreed with you, through remediation and release.
  • Credit on the release advisory, under the name or handle you choose — or no credit, if you prefer to stay anonymous.

Coordinated disclosure timeline

We target a 90-day window from confirmed receipt to a fixed release and public advisory. For actively exploited issues we will move faster and may ship an out-of-band patch. If remediation will take longer than 90 days we will let you know as soon as we know, and agree a revised timeline with you before anything becomes public.

Safe harbor

We will not pursue legal action against good-faith researchers who: operate within this policy; avoid privacy violations, destruction of data, and degradation of user experience; make a good-faith effort to give us a reasonable chance to fix the issue before disclosing; and do not exploit findings beyond what is necessary to demonstrate impact. If in doubt, ask first — email us, describe what you plan to do, and we will tell you if we see a problem.

This policy is not a waiver of third-party rights. If your testing affects a customer environment, you are responsible for having that customer's authorization.

PGP key

For encrypted reports, use the key below. Fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000. The current key is also published at https://wardengate.example/.well-known/security.asc.

-----BEGIN PGP PUBLIC KEY BLOCK-----

(placeholder — replace with the current Wardengate security team
public key before publishing this page)

-----END PGP PUBLIC KEY BLOCK-----

Advisories

Published advisories live at https://wardengate.example/security/advisories. Each advisory includes affected versions, a CVSS 3.1 vector, the fixed release, and the mitigation path for operators who cannot upgrade immediately.