Vigil is currently maintained as a single mainline release.

Please do not report security vulnerabilities in public GitHub issues.

Report privately using one of the following channels:

1. Email: info@atlonglastanalytics.com
2. Subject line: Vigil Security Disclosure
3. Include: affected version, impact, reproduction steps, and any proof-of-concept details

You can optionally include encrypted details and a preferred contact method for follow-up.

• Initial acknowledgement: within 3 business days
• Triage decision (valid / needs more info / out of scope): within 7 business days
• Status updates: at least every 7 business days while actively investigating
• Remediation target: based on severity and exploitability

1. We acknowledge and triage the report.
2. We reproduce and assess impact.
3. We create and test a fix.
4. We coordinate release timing with the reporter when possible.
5. We publish remediation details in CHANGELOG.md.

In scope:

• Code in this repository
• GitHub Actions workflow definitions
• Deployment and configuration guidance in project docs

Out of scope:

• Vulnerabilities in third-party services or dependencies that are not directly caused by this project
• Social engineering, phishing, spam, or physical attacks
• Denial-of-service testing against production systems without explicit written approval

• Never commit secrets, keys, tokens, or private certificates.
• Use managed identity for runtime Azure authentication where supported.
• Keep dependencies current and review Dependabot updates promptly.
• Prefer least-privilege RBAC assignments and avoid broad roles when narrower roles are available.
• Pin GitHub Actions by commit SHA and review CI changes carefully.
• Validate all externally sourced data and sanitize output rendered in emails or logs.

• Store deployment credentials in GitHub Environments (not repository-wide secrets).
• Enable required reviewers on production environments.
• Rotate publish profiles and service credentials on a regular schedule.
• Enable Application Insights alerting for exceptions and authentication failures.
• Regularly review role assignments for the Function App managed identity.

• GitHub Actions deploys using OIDC via azure/login with federated credentials scoped to the production environment — no publish profile secret is required.
• Deployment credentials (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID) are stored as environment secrets on the production environment, not as repository-wide secrets.
• The production environment can be configured with required reviewers to mandate manual approval before any deploy reaches Azure.

We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and provide reasonable time for remediation before public disclosure.