Security Policy
Last Updated: January 17, 2025
Supported Versions
We release patches for security vulnerabilities. Currently supported versions:
| Version |
Supported |
| 0.9.x |
✅ Yes |
| < 0.9 |
❌ No |
Reporting a Vulnerability
⚠️ Please DO NOT file public GitHub issues for security vulnerabilities.
Public disclosure of vulnerabilities puts all MEDUSA users at risk. We take security seriously
and will respond promptly to privately reported issues.
We take security seriously at Pantheon Security. If you discover a security vulnerability in MEDUSA,
please report it to us privately so we can address it before public disclosure.
How to Report
Email: security@pantheonsecurity.io
PGP Key: Coming soon
What to Include
Please include the following information in your report:
- Description of the vulnerability - What is the issue?
- Steps to reproduce - How can we recreate the issue?
- Potential impact - What could an attacker do with this vulnerability?
- Affected versions - Which versions of MEDUSA are affected?
- Suggested fixes (optional) - Do you have ideas for how to fix it?
- Your name/handle (optional) - For acknowledgment in security advisories
Response Timeline
We aim to respond according to the following timeline:
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: Best effort
Disclosure Policy
- We request that you give us reasonable time to fix the issue before public disclosure
- We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
- We may provide a CVE if the issue warrants one
- We will coordinate with you on the disclosure timeline
Security Updates
To receive security updates:
Supported Features
What MEDUSA Does:
- ✅ Scans code for security issues (static analysis)
- ✅ All scanning is performed locally on your machine
- ✅ No data is sent to external servers
- ✅ No network access required (except for tool installation)
MEDUSA scans code for security issues but does not:
- Execute code from scanned projects
- Send data to external servers (all scanning is local)
- Require network access (except for tool installation)
- Store scan results remotely
Known Limitations
Please be aware of these limitations when using MEDUSA:
- Third-party tools: MEDUSA relies on external security tools (listed in
tool-versions.lock)
- Accuracy: We cannot guarantee 100% accuracy - false positives and false negatives may occur
- Version lag: Tool versions are pinned for reproducibility but may lag behind latest versions
- Coverage: Not all vulnerability types can be detected by static analysis
Security Best Practices
When using MEDUSA:
- Keep MEDUSA updated to the latest version for security patches
- Review scan results - don't blindly trust all findings
- Use pinned tool versions for production CI/CD pipelines
- Report false positives to help us improve detection accuracy
- Combine with other tools - MEDUSA should be part of a defense-in-depth strategy
- Verify tool integrity - download from official sources (PyPI, GitHub)
Bug Bounty
We currently do not offer a bug bounty program but deeply appreciate responsible disclosure.
Security researchers who help us improve MEDUSA will be acknowledged in:
- Security advisories
- Release notes
- Our website (with your permission)
Third-Party Dependencies
MEDUSA depends on numerous third-party security tools. Security issues in those tools should be
reported to their respective maintainers. We monitor security advisories for our dependencies
and update them promptly.
Open Source Transparency
MEDUSA is open source (MIT License). You can review the complete source code at
github.com/Pantheon-Security/medusa
to verify our security claims and practices.
Contact
For security-related inquiries:
Thank you for helping keep MEDUSA and its users safe!
Responsible disclosure helps the entire security community. We appreciate your efforts
to improve the security of open-source software.