Security Policy

Supported Versions

Security fixes are provided on a best-effort basis for the current major version. We strongly recommend keeping stac-server updated to the latest release to ensure you have the most recent security patches.

Reporting a Vulnerability

The stac-server team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

How to Report a Security Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities using GitHub's private vulnerability reporting feature.

To report a vulnerability, go to the Security Advisories page and create a new security advisory.

What to Include

Please include the following information to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

Disclosure Policy

• Please give us reasonable time to investigate and address the vulnerability before any public disclosure
• We will credit you in the security advisory when we publish the fix (unless you prefer to remain anonymous)
• Once the vulnerability is fixed, we will publish a security advisory on GitHub

Security Best Practices

OpenSearch Security

When deploying stac-server, follow these OpenSearch security best practices:

1. Enable Fine-grained Access Control: Use OpenSearch's built-in fine-grained access control for granular permissions (see Deployment Guide)

2. Use Strong Passwords: If using fine-grained access control, ensure master and service account passwords are strong and unique

3. Secrets Management: Store credentials in AWS Secrets Manager rather than environment variables when possible

4. Network Security:

5. Deploy OpenSearch in a VPC
6. Use security groups to restrict access

7. Consider VPC endpoints for AWS services

8. Enable Encryption:

9. Enable encryption at rest for OpenSearch domains
10. Enable node-to-node encryption

11. Use HTTPS/TLS for all connections

12. Regular Updates: Keep OpenSearch and stac-server updated to the latest supported versions

AWS Lambda Security

1. Principle of Least Privilege: Grant Lambda functions only the IAM permissions they need

2. Environment Variables: Use encryption for sensitive environment variables

3. VPC Configuration: Deploy Lambdas in a VPC when accessing resources that require it

4. Monitoring: Enable CloudWatch logging and set up alerts for suspicious activity

API Gateway Security

1. Authentication: Consider implementing authentication for transaction endpoints (see Deployment Guide for IP-based restrictions)

2. Rate Limiting: Configure API Gateway throttling to prevent abuse

3. WAF: Use AWS WAF to protect against common web exploits (note the SQL injection false positive in Deployment Guide)

4. CORS: Configure CORS appropriately for your use case

Keeping Up to Date

• Watch this repository for security advisories
• Subscribe to security notifications via GitHub
• Check the CHANGELOG for security-related updates
• Join community discussions about security issues

Additional Resources

• OpenSearch Security Documentation
• AWS Security Best Practices
• OWASP Top 10

Next Steps

• Guides > Deployment - Deploy securely to AWS
• Guides > Configuration - Configure security settings
• About > Contributing - Report security issues

Thank you for helping keep stac-server and its users safe!