The SeeBOM maintainers take security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, report them through one of these channels:
-
GitHub Security Advisories (preferred):
https://github.com/seebom-labs/seebom/security/advisories/new -
Email:
Contact the maintainers listed in MAINTAINERS.md directly.
Please include as much of the following information as possible to help us triage your report quickly:
- Type of vulnerability (e.g. SQL injection, XSS, authentication bypass, container escape)
- Affected component(s) (API Gateway, Parsing Worker, UI, Helm Chart, ClickHouse schema)
- Full paths of affected source file(s)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment (what an attacker could achieve)
| Action | Target |
|---|---|
| Acknowledgement of report | 3 business days |
| Initial assessment | 7 business days |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
We will work with you to understand and validate the report. Once confirmed, we will:
- Develop a fix in a private branch
- Assign a CVE identifier if appropriate
- Release a patched version
- Publish a security advisory on GitHub
We follow the CVSS v3.1 scoring system:
| Severity | CVSS Score | Response |
|---|---|---|
| Critical | 9.0 – 10.0 | Immediate patch release |
| High | 7.0 – 8.9 | Patch release within 7 days |
| Medium | 4.0 – 6.9 | Fix in next scheduled release |
| Low | 0.1 – 3.9 | Fix when convenient |
| Version | Supported |
|---|---|
| Latest release (N) | ✅ Full support |
| N-1 | ✅ Security fixes only |
| N-2 | ✅ Security fixes only |
| Older versions | ❌ |
When deploying SeeBOM, pay attention to:
- ClickHouse credentials: Always change the default password. Use the
seebom-secretKubernetes Secret. - UI is public: The Angular frontend has no authentication. Do not expose it to the internet without an authentication proxy (e.g. OAuth2 Proxy, Pomerium).
- License exceptions are read-only: By design, no API endpoint can modify license exceptions or policy — they are loaded from config files to prevent tampering via the public UI.
- SBOM source directory: Ensure only trusted SBOM/VEX files are placed in the ingestion directory. Malicious JSON payloads could attempt to exploit the parsers.
- Container images: All backend containers run as
nobody:nobody. The UI runs as thenginxuser. No container requires root privileges. - Network policies: In production, restrict ClickHouse access to only the SeeBOM pods.
- We follow coordinated vulnerability disclosure.
- We will credit reporters in the security advisory unless they prefer to remain anonymous.
- We ask that you give us reasonable time to address the issue before public disclosure.
- We will not take legal action against researchers who follow this policy.
SeeBOM has not yet undergone a formal security audit. If you are interested in sponsoring or conducting one, please reach out to the maintainers.
Thank you for helping keep SeeBOM and its users safe.