Security Policy
Synced from repo docs
This page is synced from docs/policy/security.md via docs/public-docs.json. Edit the owning repo source instead of this generated copy. GitHub source: https://github.com/byteor-systems/byteor-cloud/blob/master/docs/policy/security.md
This page describes the current public security posture for ByteOr Cloud.
Credential separation
Cloud uses different credentials for humans, organization automation, enrollment, enrolled agents, and approval-sensitive actions. They should not be treated as interchangeable.
Secret handling
- secret-bearing adapter auth must stay in
secretRefs - masked secret refs must never be sent back as real values
- inline refs are encrypted at rest
- Vault-backed refs fail closed when control-plane Vault config is missing
Hosted posture
- UI and OIDC callbacks stay on the
cloud.*origin - API traffic resolves through the
api.*family - agent runtime keys are environment- and agent-bound rather than global secrets
Abuse controls
- per-token rate limits
- enrollment throttling per environment
- request and artifact size caps
- concurrent deployment caps per environment
Review rule
Approval-sensitive deployment and replay actions require both normal RBAC access and matching approval coverage when the environment posture demands it.