AxonOps go-audit Library Lacks Critical Security Policy, Exposing Regulated Environments to Unreported Vulnerabilities
The AxonOps go-audit library, a security-critical tool designed for regulated environments, currently operates without a formal vulnerability disclosure policy. This significant gap leaves security researchers with no documented, responsible channel to report potential security flaws, creating a blind spot for users who depend on the library's integrity. The absence of a `SECURITY.md` file also results in a penalty from the OpenSSF Scorecard, a benchmark for open-source security practices, signaling a foundational weakness in the project's security posture.
The issue calls for the immediate creation of a `SECURITY.md` policy at the repository's root. The required policy must clearly define supported versions, specifying that only the latest minor release of the pre-release v0.x series will receive security patches. It must establish GitHub Security Advisories as the primary reporting channel and commit to an acknowledgment of reports within 48 hours and triage within 7 days, documented as a best-effort timeline given the project's pre-release status and limited maintainer resources. The policy also needs to outline a coordinated disclosure process with a 90-day window and explicitly scope in critical vulnerabilities like SSRF bypasses, TLS downgrades, credential leakage, and injection attacks, while ruling out formatting bugs and performance issues.
This missing policy is not merely a documentation oversight; it represents a direct operational risk. For an audit library targeting regulated sectors—where security compliance is non-negotiable—the inability to formally accept and process vulnerability reports undermines its core value proposition. The lack of a clear response timeline and disclosure framework could delay critical patches, leaving downstream systems exposed. Implementing this policy is a necessary first step to establish trust and a functional security feedback loop for a project in a high-stakes domain.