Security
Security Researchers
At DataKit, security is foundationalโnot an afterthought. We deeply value the work of external researchers in uncovering vulnerabilities and strengthening our platform. While we donโt yet offer a bug bounty, we welcome responsible disclosures and partner with the security community to keep DataKit safe and resilient.
Reporting a Vulnerability
We take security issues seriously. If you discover a vulnerability in DataKit, please follow these outlined steps.
Responsible Disclosure
- Do not publicly disclose security vulnerabilities.
- Report the issue privately to our security team preferably using Github Advisories or by secure email. If the issue is specific to one of our public repositories please report the issue to that repository.
Email: [email protected]
GPG Key: datakit-security.pub.asc
What to Include in Your Report
When reporting a vulnerability, please provide:
- A detailed description of the issue.
- Steps to reproduce (if possible).
- The affected version(s).
- Any potential mitigation or patch ideas.
We will acknowledge your report within 48 hours and keep you updated on the progress.
Security Best Practices
To securely use DataKit, follow these best practices:
Use Official Channels
Only download DataKit artifacts from official sources like dtkt.dev or from our GitHub Releases.
Verify Signed Artifacts
DataKit artifacts are signed using Cosign. Before using a downloaded artifact, verify its integrity:
Check for Vulnerabilities
Regularly scan artifacts for vulnerabilities.
For example:
Keep Your Versions Updated
Since we only support the latest stable release, always update artifacts to the latest version.
Security Tools
We use the following tools to ensure the security of our OSS code repositories, artifacts, and deployments. Some are language dependent, while others are general security tools.
Secrets & Credential Scanning
- GitHub Secret Scanning โ Detects and prevents secrets from being committed to repositories.
Code Quality & Linting
- Go Report Card โ Generates a report on the quality of a Go project.
- golangci-lint โ A fast linters runner for Go, catching security and quality issues early.
Static & Dynamic Code Analysis
- GitHub CodeQL โ Analyzes source code for security vulnerabilities.
- Go Fuzzing โ Helps find security vulnerabilities and bugs by fuzz testing Go code.
Supply Chain Security & Dependency Management
- Dependabot โ Automatically detects and updates vulnerable dependencies in our project.
SBOM & Vulnerability Scanning
- syft โ Generates a Software Bill of Materials (SBOM) for tracking dependencies.
- grype โ Scans images, projects, and SBOM data for known vulnerabilities (CVE detection).
Code Signing & Integrity
- cosign โ Ensures binary authenticity and integrity by signing artifacts.
Best Practices
- OpenSSF Best Practices โ Provides a set of best practices for secure software development.
- OpenSSF Scorecard โ Evaluates the security posture of our open-source project based on best practices.
Infrastructure & Kubernetes Security
- kubescape โ Scans Kubernetes manifests and clusters for misconfigurations and vulnerabilities.
- kube-score โ Analyzes Kubernetes object definitions to ensure best practices.
- kubesec โ Scans Kubernetes manifests and performs security risk analysis.
This security stack helps ensure that our OSS code repositories, artifacts, and deployments remains safe, reliable, and compliant with industry best practices.
Disclosure Timeline
| Timeframe | Action |
|---|---|
| 0-2 days | Acknowledge vulnerability report |
| 3-7 days | Investigate and confirm vulnerability |
| 7-14 days | Develop a patch or mitigation |
| 14+ days | Release a fix and notify users |
Critical vulnerabilities may receive expedited patches and releases.