The quantum-devops-ci project takes security seriously. This document outlines our security practices, vulnerability reporting procedures, and security-related configurations.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities via:
- Go to https://github.com/quantum-devops/quantum-devops-ci/security/advisories
- Click "Report a vulnerability"
- Fill out the vulnerability report form
Send detailed vulnerability reports to: [email protected]
Please include as much information as possible:
- Vulnerability Type: What kind of security issue (injection, auth bypass, etc.)
- Location: Which file(s), line numbers, or component
- Impact: Potential security impact and affected systems
- Reproduction: Step-by-step instructions to reproduce
- Evidence: Screenshots, logs, or proof-of-concept code
- Suggested Fix: If you have ideas for remediation
We commit to the following response times:
- Initial Response: Within 48 hours
- Triage Assessment: Within 7 days
- Status Updates: Every 7 days until resolution
- Security Fix: Critical issues within 30 days
- Static Analysis: Bandit security linting on all Python code
- Dependency Scanning: Safety checks for known vulnerabilities
- Secret Detection: Pre-commit hooks prevent credential leaks
- Supply Chain: Dependency pinning and integrity verification
- Credential Management: Secure handling of quantum hardware tokens
- Circuit Validation: Input sanitization for quantum circuits
- Resource Limits: Protection against resource exhaustion attacks
- Hardware Access: Secure quantum hardware authentication
- CI/CD Security: Secure GitHub Actions workflows
- Container Security: Minimal base images and vulnerability scanning
- Access Control: Least-privilege access patterns
- Audit Logging: Comprehensive activity logging
Never commit these sensitive values:
# Quantum hardware credentials
QISKIT_IBM_TOKEN=your_token_here
AWS_BRAKET_CREDENTIALS=your_credentials_here
GOOGLE_QUANTUM_AI_KEY=your_key_here
# CI/CD secrets
GITHUB_TOKEN=your_token_here
DOCKER_HUB_TOKEN=your_token_here
NPM_TOKEN=your_token_hereRecommended secure storage methods:
- GitHub Secrets: For CI/CD workflows
- Environment Variables: For local development
- Credential Files: In
~/.qiskit/,~/.aws/, etc. (gitignored) - Key Management: AWS Secrets Manager, Azure Key Vault, etc.
# β DON'T: Hardcode credentials
QISKIT_TOKEN = "abc123xyz789"
# β DON'T: Log sensitive data
print(f"Using token: {token}")
# β DON'T: Include credentials in URLs
url = f"https://api.quantum.ibm.com/?token={token}"
# β DON'T: Store secrets in version control
config = {"ibm_token": "secret_token_here"}# β
DO: Use environment variables
import os
token = os.getenv('QISKIT_IBM_TOKEN')
# β
DO: Validate input circuits
from quantum_devops_ci.security import validate_circuit
validated_circuit = validate_circuit(user_circuit)
# β
DO: Use secure credential storage
from qiskit_ibm_runtime import QiskitRuntimeService
service = QiskitRuntimeService() # Uses secure credential file
# β
DO: Implement resource limits
@circuit_resource_limit(max_qubits=20, max_depth=100)
def process_circuit(circuit):
return optimize_circuit(circuit)# Run security scans
npm run security:scan
# Check for vulnerabilities
pip-audit
# Validate quantum configurations
quantum-test security --check-credentials --validate-circuits- Code Review: All PRs require security-focused review
- Penetration Testing: Quarterly external security assessments
- Quantum Circuit Analysis: Validation of circuit input handling
- Access Control Audit: Review of hardware access permissions
- No hardcoded secrets in code
- Sensitive data properly handled
- Input validation implemented
- Error messages don't leak information
- Dependencies are up-to-date
- Pre-commit security hooks pass
- Security review completed
- Dependencies scanned for vulnerabilities
- Secrets properly configured in CI/CD
- Access permissions reviewed
- Security documentation updated
- Supply Chain Attacks: Malicious dependencies
- Credential Theft: Exposed quantum hardware tokens
- Code Injection: Malicious quantum circuits
- Resource Exhaustion: DoS via expensive quantum operations
- Data Exfiltration: Unauthorized access to quantum results
- Man-in-the-Middle: Insecure quantum hardware communication
- Input validation and sanitization
- Secure credential management
- Resource usage monitoring
- Encrypted communications
- Access logging and monitoring
- Regular security assessments
We appreciate security researchers who help improve our security:
- Hall of Fame: Recognition for responsible disclosure
- Bug Bounty: Rewards for valid security findings
- Collaboration: Opportunity to work with our security team
This project follows security standards including:
- OWASP Application Security Verification Standard (ASVS)
- NIST Secure Software Development Framework
- ISO/IEC 27001 Information Security Management
- SOC 2 Type II (for hosted services)
For urgent security matters:
- Email: [email protected]
- Response Time: Within 24 hours for critical issues
- PGP Key: security-public-key.asc
Typical timeline for vulnerability disclosure:
- Day 0: Vulnerability reported
- Day 1-2: Initial response and triage
- Day 3-7: Vulnerability assessment and planning
- Day 8-30: Development and testing of fix
- Day 31: Security update released
- Day 45: Public disclosure (coordinated with reporter)
Last Updated: January 2025 Version: 1.0