Skip to content

Latest commit

 

History

History
68 lines (50 loc) · 2.05 KB

File metadata and controls

68 lines (50 loc) · 2.05 KB

Security Policy

Supported Versions

Version Supported
release branch Yes
development branch Yes
beta branch Yes
Other branches No

Reporting a Vulnerability

We take the security of this project seriously. If you discover a security vulnerability, please follow responsible disclosure.

How to Report

  1. Do NOT open a public issue for security vulnerabilities
  2. Report privately via GitHub Security Advisories
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

What to Expect

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 7 days
  • Fix timeline: Depends on severity
    • Critical: 7 days
    • High: 14 days
    • Medium: 30 days
    • Low: 60 days

Security Scope

This project involves Docker containerization, so security concerns may include:

  • Container escape vulnerabilities
  • Privilege escalation in Docker configs
  • Exposed ports or services
  • Insecure default configurations
  • Dependency vulnerabilities (PHP extensions, base images)
  • Credential handling in entrypoint scripts
  • Nginx/Apache misconfigurations

Out of Scope

  • WordPress core vulnerabilities (report to WordPress)
  • Third-party plugin/theme vulnerabilities
  • MariaDB or Redis upstream vulnerabilities

Security Best Practices

When deploying this stack:

  1. Never commit .env files or credentials to the repository
  2. Use strong, unique passwords for all services
  3. Keep base images updated (docker compose pull regularly)
  4. Run behind a reverse proxy with TLS termination
  5. Restrict network access to management ports
  6. Monitor container logs for suspicious activity
  7. Use FLUSH_REDIS_ON_STARTUP=true after credential changes

Acknowledgments

We appreciate responsible disclosure from the security community. Contributors who report valid vulnerabilities will be credited (with permission) in release notes.