We release security updates for the following versions:
| Version | Supported |
|---|---|
| main | ✅ |
| Latest release | ✅ |
| Older releases | ❌ |
We strongly recommend running the latest version of IncidentFox.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of these methods:
Report security vulnerabilities privately through GitHub:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the advisory form with details
Send details to security@incidentfox.ai with:
- Type of vulnerability (RCE, injection, XSS, etc.)
- Affected component(s)
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 24 hours
- Initial assessment: Within 3 business days
- Regular updates: At least every 7 days until resolved
- Disclosure timeline: Coordinated disclosure after patch is available
We follow responsible disclosure practices and will credit reporters (unless you prefer to remain anonymous).
Security issues in:
- IncidentFox core (agent, orchestrator, config-service)
- Web console (authentication, authorization, XSS, CSRF)
- API endpoints (injection, authentication bypass)
- Slack bot (command injection, unauthorized access)
- Integrations (credential leakage, SSRF)
- Deployment configs (Kubernetes, Docker)
- Dependencies (critical CVEs in direct dependencies)
- Social engineering attacks
- Physical attacks
- Attacks requiring MITM on local network
- DoS/DDoS attacks
- Issues in third-party services (Slack, AWS, etc.)
- Issues only exploitable with admin access
- Theoretical vulnerabilities without proof of concept
- Brute force attacks without additional vulnerability
When deploying IncidentFox:
- Never commit secrets to version control
- Use secrets proxy in production (see deployment guide)
- Rotate credentials regularly
- Use separate credentials for dev/staging/prod
- Deploy behind a firewall
- Use TLS for all external communications
- Restrict API access to authorized networks
- Enable audit logging
- Enable SSO/OIDC for production deployments
- Use role-based access control (RBAC)
- Review team permissions regularly
- Enable approval workflows for critical changes
- Use Claude Sandbox in production (isolated Kubernetes namespaces)
- Limit agent permissions to minimum required
- Monitor agent actions via audit logs
- Review tool usage patterns
- Subscribe to security announcements (watch this repo)
- Update IncidentFox regularly
- Monitor dependency vulnerabilities (Dependabot enabled)
- Review audit logs for suspicious activity
IncidentFox agents execute commands against your infrastructure (kubectl, AWS CLI, etc.). This is by design for incident response.
Mitigations:
- Tools run in isolated sandboxes
- Secrets never touch the agent (injected by proxy)
- Approval workflows for critical operations
- Full audit trail of all actions
Like all LLM-powered tools, IncidentFox may be susceptible to prompt injection attacks.
Mitigations:
- Input validation and sanitization
- Separate system and user contexts
- Tool-specific safety checks
- Human approval for destructive operations
Agents may access sensitive data (logs, metrics, code).
Mitigations:
- On-premise deployment option (full data control)
- Configurable data retention policies
- Audit logs for data access
- RBAC for sensitive integrations
IncidentFox includes security features for production:
- SOC 2 compliant infrastructure (managed deployments)
- End-to-end encryption for data in transit
- Secrets proxy (credentials never touch agents)
- Audit logging (all actions tracked)
- RBAC (role-based access control)
- SSO/OIDC support
- Approval workflows for critical changes
- Isolated sandboxes (Kubernetes namespaces per agent)
See Enterprise Ready for details.
When we receive a security report:
- Confirmation: We confirm the vulnerability
- Patch development: We develop and test a fix
- Coordinated disclosure: We coordinate with the reporter on disclosure timeline
- Release: We release a patch and security advisory
- Public disclosure: We publicly disclose the issue (typically 90 days after patch)
We credit security researchers in:
- Security advisories
- Release notes
- Public acknowledgments (if desired)
We recognize security researchers who help keep IncidentFox secure:
No security issues reported yet. Be the first!
- Security issues: security@incidentfox.ai
- General questions: founders@incidentfox.ai
- Community: Slack | Discussions
- Deployment Guide — production deployment best practices
- Architecture — system design and security architecture
- Enterprise Ready — advanced security features