Documentation > Security Policy

Security Policy

Protecting your data and privacy is our highest priority. This comprehensive security policy outlines our commitment to safeguarding your information through robust infrastructure, code security, access controls, and compliance measures.

Last updated: November 2025 8 min read

Table of Contents

Introduction

We take the security of our software seriously. This document outlines our security policies, practices, and procedures to protect our users and their data.

Supported Versions

Version Supported Release Date End of Life
1.x.x Supported 2025-01-15 TBD
0.9.x Supported 2024-11-01 2025-06-01
< 0.9 Unsupported 2024-08-15 2024-12-01

Reporting a Vulnerability

If you believe you have found a security vulnerability in Citadel, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them by emailing our security team at:

security@nbr.company

What to Include in Your Report

Please include the following information in your vulnerability report:

  • Description: A clear and detailed description of the vulnerability
  • Steps to Reproduce: Precise steps to reproduce the vulnerability
  • Impact Assessment: Potential impact and severity of the vulnerability
  • Environment: Affected versions, operating systems, and configurations
  • Proof of Concept: Code, screenshots, or other evidence demonstrating the vulnerability
  • Possible Mitigations: Any potential workarounds or fixes you've identified

Response Process

Our security team follows this process for handling vulnerability reports:

  1. Acknowledgment: We will acknowledge your report within 24 hours
  2. Initial Assessment: We will provide a detailed response within 72 hours
  3. Investigation: We will investigate the vulnerability and determine its impact
  4. Resolution: We will work on a fix and coordinate disclosure
  5. Patch Release: We will release a security patch in a timely manner
  6. Public Disclosure: We will publicly disclose the vulnerability after the patch is released

Timeline

We strive to adhere to the following timeline for vulnerability response:

  • Critical Vulnerabilities: 7 days to patch release
  • High Severity: 14 days to patch release
  • Medium Severity: 30 days to patch release
  • Low Severity: 90 days to patch release

Security Measures

Infrastructure Security

  • Dependency Scanning: Automated scanning for vulnerable dependencies using npm audit and Snyk
  • Container Security: Docker image scanning for vulnerabilities using Trivy
  • Secrets Management: HashiCorp Vault for secure credential storage (never in code)
  • Network Security: Firewall rules and network segmentation
  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)

Code Security

  • Code Reviews: All changes require review by multiple team members
  • Static Analysis: Automated security scanning in our CI pipeline
  • Dynamic Analysis: Regular penetration testing and vulnerability assessments
  • Security Training: Regular security awareness training for developers
  • Secure Coding Practices: Adherence to OWASP Top 10 and industry best practices

Access Control

  • Role-Based Access: Principle of least privilege for all systems
  • Multi-Factor Authentication: Required for all administrative access
  • Audit Logging: Comprehensive logging of all access and modifications
  • Regular Audits: Periodic access reviews and permission audits
  • Session Management: Secure session handling with proper timeouts

Data Protection

  • Data Encryption: AES-256 encryption for sensitive data
  • Data Minimization: Collection of only necessary data
  • Data Retention: Defined retention policies and secure deletion
  • Backup Security: Encrypted backups with access controls
  • Privacy by Design: Privacy considerations integrated into all features

Security Best Practices

For Developers

  • Never commit secrets or credentials to the repository
  • Use environment variables for all configuration
  • Validate all user inputs on both client and server
  • Sanitize data before rendering or storing
  • Follow the principle of least privilege for all operations
  • Keep dependencies up to date and monitor for vulnerabilities
  • Enable two-factor authentication on your GitHub account
  • Use parameterized queries to prevent SQL injection
  • Implement proper error handling without exposing sensitive information
  • Regularly review and update security configurations

For Deployments

  • Use the latest stable versions of all components
  • Implement proper firewall rules and network segmentation
  • Enable encryption for all data in transit and at rest
  • Regularly update and patch all system components
  • Monitor and log all access and security events
  • Implement backup and recovery procedures
  • Conduct regular security assessments and penetration testing
  • Follow the principle of least privilege for all services
  • Use secure configuration for all components
  • Implement proper access controls and authentication

Compliance

Standards and Frameworks

  • OWASP Top 10: Adherence to OWASP security principles
  • ISO 27001: Information security management
  • SOC 2: Security, availability, processing integrity, confidentiality, and privacy
  • GDPR: Compliance with General Data Protection Regulation
  • HIPAA: Health Insurance Portability and Accountability Act (for healthcare integrations)

Certifications

  • SOC 2 Type II: Annual audit and certification
  • ISO 27001: Information security management system certification
  • PCI DSS: Payment Card Industry Data Security Standard compliance

Incident Response

Incident Response Team

Our incident response team consists of:

  • Security Engineers: Specialized in vulnerability assessment and mitigation
  • Infrastructure Engineers: Experts in system security and hardening
  • Legal Counsel: Advisors on compliance and regulatory requirements
  • Communications Lead: Responsible for stakeholder communication

Incident Response Process

  1. Detection: Automated alerts and monitoring systems
  2. Analysis: Triage and impact assessment by security team
  3. Containment: Immediate threat isolation and mitigation
  4. Eradication: Root cause removal and system cleanup
  5. Recovery: System restoration and validation
  6. Lessons Learned: Post-incident review and process improvement

Communication

During a security incident, we will communicate with:

  • Affected Users: Direct notification of impacted accounts
  • Stakeholders: Regular updates on incident status and resolution
  • Regulatory Bodies: Required reporting to relevant authorities
  • Public Disclosure: Coordinated disclosure after patch release

Third-Party Security

Vendor Assessment

We conduct thorough security assessments of third-party vendors:

  • Security Questionnaires: Detailed security requirements and controls
  • Penetration Testing: Regular security testing of vendor systems
  • Compliance Verification: Verification of relevant certifications
  • Ongoing Monitoring: Continuous monitoring of vendor security posture

Supply Chain Security

  • Dependency Verification: Verification of all third-party dependencies
  • Code Signing: Verification of signed packages and binaries
  • Source Verification: Validation of package sources and origins
  • Regular Audits: Periodic review of supply chain security

Contact Information

For security-related inquiries, please contact:

Emergency Contact

For critical security incidents requiring immediate attention:

Policy Updates

This security policy is reviewed and updated annually, or as needed based on:

  • Changes in regulatory requirements
  • Evolving threat landscape
  • New security technologies and practices
  • Feedback from security assessments and audits

Last Updated: November 22, 2025
Next Review Date: November 22, 2026

Support Citadel Development

Help us continue improving Citadel by buying us a coffee!

Buy Me a Coffee