This policy applies to the ForePath One monorepo, which contains multiple products. Product-specific security documentation lives in each product docs tree. Use the links in Security Resources below for detailed registers, SBOM paths, and hardening notes.

We provide security updates for the following versions of this framework:

Security updates are intended for supported 2.x.x releases. Full disclosure and CRA-oriented context:

• Agenstra: Supported versions and security updates
• Decabill: Supported versions and security updates

We take security seriously and appreciate your help in keeping this framework and its users safe.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities to our security team:

• Email: soc@forepath.io
• Subject: [SECURITY] Framework Vulnerability Report (you may add the product name, for example Agenstra or Decabill, in the body)
• Response Time: We aim to respond within 48 hours

When reporting a security vulnerability, please include:

1. Description - Clear description of the vulnerability
2. Impact - Potential impact and severity assessment
3. Steps to Reproduce - Detailed steps to reproduce the issue
4. Affected Versions - Which versions of this framework are affected
5. Suggested Fix - If you have ideas for how to fix the issue
6. Contact Information - How we can reach you for follow-up

1. Initial Response - We'll acknowledge receipt within 48 hours
2. Assessment - Our security team will assess the vulnerability
3. Investigation - We'll investigate and validate the issue
4. Fix Development - We'll develop and test a fix
5. Coordination - We'll coordinate disclosure with you
6. Release - We'll release the fix and security advisory

We believe in recognizing security researchers who help keep this framework secure:

• Hall of Fame - Security researchers will be recognized in our security acknowledgments
• Responsible Disclosure - We follow responsible disclosure practices
• Collaboration - We work with researchers to ensure proper fixes

• Keep Dependencies Updated - Regularly update all dependencies
• Follow Security Guidelines - Adhere to the project's code quality and security practices
• Use Secure Coding Practices - Follow secure coding principles
• Regular Security Audits - Perform regular security audits of your code

• Security Training - Ensure your team is trained on security best practices
• Regular Updates - Keep this framework and all dependencies up to date
• Security Monitoring - Implement security monitoring and alerting
• Incident Response - Have an incident response plan in place

This framework includes several built-in security features:

• Dependency Scanning - Automated vulnerability scanning in CI/CD (Trivy on pull requests; see CI security scanning)
• Security Headers - Default security headers for web applications
• Input Validation - Built-in input validation and sanitization
• Authentication Patterns - Secure authentication and authorization patterns

• Trivy - Repository, IaC/config, secret, and container image scanning in CI (trivy.yaml; CRITICAL fail gate; SARIF to GitHub Security when enabled)
• npm audit - Integrated dependency vulnerability scanning
• ESLint Security Rules - Security-focused linting rules
• Pre-commit Hooks - Format, lint, test, build, and Trivy filesystem/config scans (tools/ci/trivy-pre-commit.sh; requires Trivy on PATH)
• CI/CD Security Gates - Automated security validation in pull request checks (Trivy); release workflow publishes SBOMs without re-scanning

The products intentionally depart from stricter baselines in a few places. Each item below is accepted with compensating measures and a review cadence. Expanded register entries live in the product security docs linked below.

Full register: docs/agenstra/security/accepted-risks.md

Full register: docs/decabill/security/accepted-risks.md

We publish CycloneDX SBOM files for each release (Nx service SBOMs and Trivy container image SBOMs). Each product publishes to its own object-store bucket under the same key layout.

• Path: releases/<version>/sboms/
• Example: releases/2.0.0/sboms/

• Agenstra documentation - Architecture, deployment, and setup
• Agenstra security documentation - CRA/BSI transparency, accepted risks, hardening, SBOM, disclosure, CI scanning
• Decabill documentation - Billing product guides
• Decabill security documentation - Decabill accepted risks, SBOM, and hardening

• OWASP Top 10 - Common security risks
• NIST Cybersecurity Framework - Cybersecurity best practices
• GitHub Security Advisories - Security vulnerability database

1. Do NOT create a public issue or discussion
2. Do NOT share details on social media or public forums
3. Do email soc@forepath.io immediately
4. Do provide as much detail as possible
5. Do allow us time to investigate and fix the issue

• 48-hour acknowledgment of security reports
• Regular updates on investigation progress
• Coordinated disclosure with security researchers
• Timely fixes for confirmed vulnerabilities
• Public acknowledgment of security researchers

• Security Issues: soc@forepath.io
• General Questions: hi@forepath.io
• Emergency Contact: Available 24/7 for critical security issues

• Critical Issues: 24 hours
• High Priority: 48 hours
• Medium Priority: 1 week
• Low Priority: 2 weeks

Thank you for helping keep this framework and its users secure. Your responsible disclosure helps us maintain the highest security standards and protects the entire community.

Remember: Security is everyone's responsibility. Together, we can build and maintain secure software that protects users and their data.

Last updated: June 2026