| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private vulnerability reporting:
Report a Security Vulnerability
Or manually:
- Go to the repository's Security tab
- Click Report a vulnerability
- Fill out the form with details
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: What an attacker could achieve
- Affected Versions: Which versions are affected
- Suggested Fix: If you have one (optional)
- Acknowledgment: Within 48 hours
- Assessment: We will investigate and assess severity
- Updates: We will keep you informed of progress
- Resolution: Critical issues addressed within 7 days
- Credit: You will be credited in release notes (unless you prefer anonymity)
- Please give us reasonable time to address the issue before public disclosure
- We follow coordinated disclosure practices
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Rotate API keys periodically
- Use read-only API keys where possible
- Run behind a reverse proxy (nginx, Traefik, Caddy)
- Use HTTPS in production
- Keep Docker images updated
- Limit network exposure
- Use strong passwords for PostgreSQL
- Do not expose database ports to the internet
- Regular backups are recommended
When using AI analysis features, your API keys are:
- Stored in environment variables (not in the database)
- Never logged or exposed in the UI
- Only used for API calls to the respective providers
- Logs may contain sensitive information from your media servers
- Access to Logarr should be restricted to trusted users
- Consider your data retention policies
Security updates will be released as patch versions and announced in GitHub releases.