Skip to content

Security: cluion/obsync

SECURITY.md

Security Policy

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue in obsync, please report it responsibly.

Preferred Method: GitHub Security Advisories

Report vulnerabilities through GitHub Security Advisories. This allows us to coordinate a fix and disclosure.

Alternative: Email

If you cannot use GitHub Security Advisories, send a report to the project maintainers via email. Please:

  • Use a descriptive subject line (e.g., "Security vulnerability in file upload handler")
  • Include steps to reproduce the issue
  • Describe the potential impact
  • Suggest a fix if you have one

What to Include

  • Description of the vulnerability
  • Affected versions
  • Steps to reproduce
  • Proof of concept (if applicable)
  • Potential impact

What Not to Do

  • Do not open a public GitHub issue for security vulnerabilities
  • Do not exploit the vulnerability beyond what is needed to demonstrate it
  • Do not disclose the vulnerability publicly before a fix is available

Response Timeline

  • Acknowledgment: We will acknowledge your report within 48 hours
  • Assessment: We will assess the severity and provide an initial response within 5 business days
  • Fix: We will work on a fix and keep you informed of progress
  • Disclosure: We will coordinate disclosure with you after the fix is released

Supported Versions

We support the following versions with security updates:

Version Supported
0.1.x Yes (current)
< 0.1 No

We support the latest minor release of the current major version. Older versions may not receive security fixes.

Security Features

obsync includes several built-in security mechanisms:

  • JWT authentication with rotating refresh tokens
  • bcrypt password hashing (cost factor 12)
  • Device management with revocation support
  • Path traversal protection on all file operations
  • Hash verification for file integrity during upload and download
  • Optimistic concurrency control to prevent data races
  • Disk space monitoring to prevent denial-of-service via storage exhaustion

Bug Bounty Program

We do not currently have a bug bounty program. We appreciate responsible disclosure and will credit security researchers in our advisories.

Known Security Considerations

  • The server does not use TLS natively. Use a reverse proxy (nginx, Caddy, etc.) for TLS termination in production.
  • JWT secrets are auto-generated on first run and stored in the data directory. Protect the data directory with appropriate filesystem permissions.
  • The WebSocket endpoint does not enforce origin restrictions. Deploy behind a reverse proxy if origin validation is required.

There aren't any published security advisories