We actively maintain and provide security updates for the following:
| Component | Version | Supported |
|---|---|---|
| tipi-store (latest) | All releases | β |
| Applications | Latest versions | β |
| CI/CD Infrastructure | Current | β |
| Documentation | Current | β |
If you discover a security vulnerability in this repository (automation scripts, configurations, or infrastructure), please report it responsibly:
π Private Disclosure (Preferred)
- Email: Create a GitHub Security Advisory
- Use GitHub's private vulnerability reporting feature
- Include detailed information about the vulnerability
π§ Direct Contact
- Create a private issue or contact maintainers directly
- Do not create public issues for security vulnerabilities
If you find a security issue in one of the applications we package:
- Report to Upstream: Contact the original application maintainers first
- Notify Us: Let us know so we can coordinate updates
- Follow Responsible Disclosure: Allow time for fixes before public disclosure
- π Automated Dependency Updates: Renovate Bot monitors and updates dependencies
- β CI/CD Validation: All changes undergo automated security checks
- π Code Scanning: GitHub's security features scan for vulnerabilities
- π Audit Trail: All changes are tracked and reviewed
- π Rootless by Default: Applications run as non-root user (1000:1000)
- π Pinned Dependencies: Docker images are pinned to specific versions
- π©Ί Health Checks: Real health monitoring, not just port checks
- π« Supply Chain Protection: Secure CI/CD prevents upstream risks
- π€ Automated Workflows: GitHub Actions with restricted permissions
- π Secret Management: Proper handling of sensitive information
- π Monitoring: Automated detection of unusual activities
- π Regular Updates: Frequent security updates via automation
When using applications from this store:
- π Keep Updated: Enable automatic updates in Runtipi
- π Use Strong Passwords: Set secure passwords for all services
- π Network Security: Use reverse proxy with SSL/TLS
- πΎ Regular Backups: Backup your data regularly
- π Monitor Logs: Check application logs for suspicious activity
When contributing to this repository:
- β Validate Configurations: Test all Docker configurations locally
- π Review Dependencies: Check for known vulnerabilities in dependencies
- π Document Changes: Clearly document security-relevant changes
- π Follow Standards: Use established security patterns and practices
- β Repository Infrastructure: CI/CD, automation, and configuration files
- β Application Packaging: Docker configurations and metadata
- β Documentation: Security guidance and best practices
- β Dependency Management: Automated updates and vulnerability monitoring
- β Upstream Applications: Security of the original applications (report to upstream)
- β Runtipi Platform: Security of the Runtipi platform itself
- β User Configurations: Custom configurations and modifications
- β Network Infrastructure: User's network and server security
- Acknowledge receipt of vulnerability report
- Assign severity level and priority
- Begin initial assessment
- Reproduce and validate the vulnerability
- Assess impact and affected components
- Develop remediation plan
- Critical: Immediate fix and release
- High: Fix within 7 days
- Medium: Fix within 30 days
- Low: Fix in next regular release
- Coordinate with reporter on disclosure timeline
- Publish security advisory if applicable
- Update documentation and guidance
We track and monitor:
- π Update Frequency: How quickly we apply security updates
- β±οΈ Response Time: Time to acknowledge and fix vulnerabilities
- π Coverage: Percentage of dependencies under automated monitoring
- π― Compliance: Adherence to security best practices
- Runtipi Security: Platform security documentation
- Docker Security: Container security best practices
- OWASP: Web application security guidance
- CIS Benchmarks: Security configuration standards
- Contributing Guidelines: Security considerations for contributors
- CI/CD Documentation: Automation security measures
- Application Standards: Security requirements for applications
- π Do Not Panic: Take systematic approach to assessment
- π Gather Information: Document what you've observed
- π Secure Systems: Take immediate protective measures if needed
- π Report Immediately: Contact us through secure channels
- π Preserve Evidence: Keep logs and evidence for investigation
- β‘ Immediate Assessment: Rapid evaluation of incident severity
- π‘οΈ Containment: Steps to prevent further damage
- π Investigation: Thorough analysis of root cause
- π§ Remediation: Fix vulnerabilities and strengthen defenses
- π Post-Incident Review: Learn and improve security measures
- GitHub Security Advisories: Create Advisory
- Issues: GitHub Issues (for non-sensitive matters)
- Discord: Community Support
- Critical Vulnerabilities: Within 24 hours
- High Severity: Within 48 hours
- Medium/Low Severity: Within 7 days
- General Security Questions: Within 14 days
We appreciate responsible disclosure and will acknowledge security researchers who help improve our security posture. Your contributions help keep the self-hosting community safe.
Thank you for helping keep tipi-store secure! π‘οΈ
Last updated: June 2025