| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please report it privately:
- Do not open a public GitHub issue
- Email security concerns to: hello@buildingopen.org
- Include a detailed description of the vulnerability
- Provide steps to reproduce if possible
We will respond within 48 hours and work with you to understand and resolve the issue.
- All secrets are encrypted at rest using AES-256-GCM
- Secrets are decrypted only at execution time within isolated containers
- Master encryption keys are never exposed to user code
- User code runs in isolated Docker containers
- Each execution gets a fresh environment
- No persistent state between runs
- Network access is controlled
- All API inputs are validated and sanitized
- File uploads are scanned and size-limited
- ZIP extraction has path traversal protection
- Rate limiting — Per-user and per-IP request throttling
- Quota enforcement — CPU/GPU usage limits per user
- Authorization checks — Ownership verification on all resources
- Zip bomb protection — Compression ratio limits on uploads
- Enhanced audit logging
- SOC 2 compliance controls
- Container escape detection
When using RunIt:
- Never commit secrets to your uploaded code
- Use the secrets management system for sensitive values
- Review the OpenAPI schema before sharing public links
- Monitor your execution logs for unexpected behavior