Skip to main content

Security Policy

ORAN handles authentication, location data, and health-adjacent service queries. We take security seriously and welcome responsible disclosure from the research community.

Reporting a vulnerability

If you discover a security vulnerability, please report it privately. Do not open a public GitHub issue for security-sensitive findings.

GitHub private advisory

Preferred method β€” encrypted, tracked.

Contact form

Select β€œSecurity” as the category.

Scope

In scope

  • ORAN web application (oranhf57ir-prod-web.azurewebsites.net)
  • All public API endpoints (/api/**)
  • Authentication and session management
  • Data submission and search pipeline

Out of scope

  • Third-party services (Azure Maps, Microsoft Entra ID, Azure infrastructure)
  • Denial-of-service attacks
  • Social engineering or phishing attempts against ORAN staff
  • Physical security

Our commitments

48hAcknowledge all vulnerability reports within 48 hours.
14dRemediate critical vulnerabilities within 14 days of confirmation.
βœ“No legal action against researchers acting in good faith, following this policy, and not accessing or exfiltrating user data beyond what is necessary to demonstrate the vulnerability.
βœ“Credit in release notes for responsibly disclosed, confirmed vulnerabilities (unless the researcher prefers anonymity).
β„ΉORAN does not currently operate a paid bug bounty program. All qualifying reporters receive public attribution (with consent) and our formal thanks.

Security practices

AreaDetail
AuthenticationMicrosoft Entra ID via NextAuth.js. All protected routes gated server-side. Sessions fail closed if auth is misconfigured.
AuthorizationRole-based access control (RBAC) enforced at both middleware and API handler level. Principle of least privilege.
Input validationAll API routes validate untrusted input with Zod before processing. No raw SQL string interpolation.
Encryption in transitTLS enforced on all endpoints. HTTPS-only. No mixed content.
Encryption at restDatabase encrypted at rest via Azure Database for PostgreSQL Flexible Server.
PII in telemetrySentry error traces are anonymized. No user identifiers or location data in telemetry payloads.
Content Security PolicyCSP header applied sitewide. No CORS wildcard. Same-origin policy default.
Rate limitingIn-memory sliding-window rate limiting on all API routes. 429 responses include Retry-After headers.
Dependency managementDependabot security alerts enabled. npm audit runs in CI on every pull request. High-severity CVEs block merging.

Full technical control details in docs/SECURITY_PRIVACY.md. See also our Privacy Policy for telemetry and data collection details.

Past disclosures

No disclosures on record.

Machine-readable disclosure file

SECURITY.md in the repository root for automated tooling.

View SECURITY.md β†’

A security.txt file at /.well-known/security.txt is planned for a future release.