| Version | Support Status |
|---|---|
| v2.12.x (main) | ✅ Active support |
| v2.11.x | |
| < v2.11 | ❌ No longer supported |
Please do NOT open a public GitHub issue for security vulnerabilities.
Report security issues via:
- Email: security@bess-solutions.cl
- Response SLA: Within 48 hours for acknowledgment; 90 days to patch.
- Encryption: PGP key available on request.
- Description of the vulnerability
- Steps to reproduce
- Potential impact (exploitability, affected components)
- Suggested mitigation (optional)
This security policy covers BESSAI Edge Gateway (open-bess-edge):
src/core/— compliance and control logicsrc/drivers/— hardware drivers (Modbus, IEC 60870-5-104)src/interfaces/— publishers, health server, metrics
- Third-party libraries (report to their respective projects)
- Issues in trained AI models (stored privately — not in this repo)
- Physical security of BESS hardware installations
BESSAI Edge Gateway implements:
| Standard | Implementation |
|---|---|
| IEC 62443 SL-2 | SL2SecurityGate — RBAC, HMAC-SHA256, rate limiting |
| Ley Marco Ciberseguridad 21.663/2024 | SecurityNotifier — CSIRT notification ≤3h |
| OWASP Top 10 | No hardcoded secrets, input validation, structured logging |
| Apache 2.0 License | Open source — contributions welcome |
We follow a 90-day coordinated disclosure policy. Reporters who responsibly disclose vulnerabilities will be credited in our CHANGELOG (unless they prefer anonymity).
- mTLS for CEN telemetry (GAP-003): Certificates are never stored in this repo.
Generate them via
bash infrastructure/certs/gen_certs.sh. - AI models: Trained ONNX models are not included in this open-source repository.
They are distributed via the private
bessai-modelspackage. - Environment variables: All sensitive configuration (endpoints, keys) must be
set via
.envfile — never committed. See.env.example.
BESS Solutions SpA — security@bess-solutions.cl