The STIG Manager Team makes every effort to produce secure software. The project addresses vulnerabilities in the application with new mainline releases. Old versions will not be patched. All users are expected to stay up to date with security and feature updates by running only the latest release available.

Vulnerability scans are run regularly against project components and any issues identified are addressed. Nevertheless, we are grateful to anyone reporting a vulnerability and helping us to make STIG Manager better and more secure. Additionally, we encourage everyone to disclose bugs in a responsible way, allowing us and other STIGMan users to react accordingly and in a timely manner. That means:

• If you want to report a critical security bug or vulnerability please send a bug report to [email protected] before publishing it. We will acknowledge your email within a week (7 days), and will send a more detailed response up to 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and an announcement. We may ask for additional information or guidance. When disclosing vulnerabilities please include the following:

  • The word "SECURITY" in the subject line.
  • Your name and affiliation (if any).
  • Scope of vulnerability. Let us know who could use this exploit.
  • Documented steps to identify the vulnerability. It is important that we can reproduce your findings.

• If you want to report a non-critical bug, please open an issue on the GitHub project. If you are using a scanning tool to identify a vulnerability, please attempt to determine whether or not the issue is a false positive before reporting, and if it is not, include the specific scanner, settings, and config you used to identify it.

• Report security bugs in third-party modules to the person or team maintaining the module.

• This is an open source project. If you discover a bug and fix it, you are very welcome to submit a PR. Your fix will be reviewed, and if accepted, you will become a valued addition to our CONTRIBUTORS.md file!

• Known vulnerabilities will be published on the Security Advisories page of the project's GitHub site.

STIG Manager is one component of a system that must be deployed according to your individual or organizational security requirements.

Please see the project Documentation for more information on this topic.