Please do not disclose vulnerabilities publicly in issues.
Report privately with:
- affected version/commit
- reproduction steps
- expected vs actual behavior
- impact
- suggested remediation (if available)
If GitHub Security Advisories are enabled for this repository, use that channel.
Security fixes are prioritized for the latest default branch.
- Treat this as a self-hosted application.
- Do not expose the app directly to the internet without protection.
- Place a reverse proxy/tunnel with access control in front of it.
- Keep Docker images, Python runtime, and host OS patched.
- Rotate tokens/secrets if compromise is suspected.
- Do not mount sensitive host paths into the app container.
- Issues in third-party infrastructure not controlled by this project.
- Insecure deployments operated without recommended safeguards.