Security Policy
Reporting a Vulnerability​
If you discover a security vulnerability in jGuard, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
How to Report​
Email security concerns to: security@jguard.io
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Any suggested fixes (optional)
What to Expect​
| Timeframe | Action |
|---|---|
| 24-48 hours | Initial acknowledgment |
| 7 days | Assessment and severity classification |
| 30-90 days | Fix development and testing |
| After fix | Coordinated disclosure |
Disclosure Policy​
We follow coordinated disclosure:
- Reporter contacts us privately
- We assess and develop a fix
- We release a patched version
- We publish a security advisory
- Reporter may publish details after advisory
Security Advisories​
Security advisories are published on:
- GitHub Security Advisories
- Release notes
Scope​
The following are in scope:
- jGuard agent (
jguard-agent) - Policy compiler (
jguard-policy) - CLI tools (
jguard-cli) - Gradle plugin (
io.jguard.policy)
Out of scope:
- This documentation website
- Third-party dependencies (report to their maintainers)
Recognition​
We appreciate security researchers who help keep jGuard secure. With your permission, we'll acknowledge your contribution in the security advisory.
Security Best Practices​
When using jGuard in production:
- Sign your JARs - Enable policy verification
- Disable unsigned policies - Set
allowUnsignedPolicies = false - Use strict mode - Set
mode = "strict" - Review policies - Audit all entitlements before deployment
- Protect policy directories - Restrict write access to external policies
- Monitor violations - Enable logging with
jguard.log.denied=true