We take security vulnerabilities seriously. If you discover a security issue in obsync, please report it responsibly.
Report vulnerabilities through GitHub Security Advisories. This allows us to coordinate a fix and disclosure.
If you cannot use GitHub Security Advisories, send a report to the project maintainers via email. Please:
- Use a descriptive subject line (e.g., "Security vulnerability in file upload handler")
- Include steps to reproduce the issue
- Describe the potential impact
- Suggest a fix if you have one
- Description of the vulnerability
- Affected versions
- Steps to reproduce
- Proof of concept (if applicable)
- Potential impact
- Do not open a public GitHub issue for security vulnerabilities
- Do not exploit the vulnerability beyond what is needed to demonstrate it
- Do not disclose the vulnerability publicly before a fix is available
- Acknowledgment: We will acknowledge your report within 48 hours
- Assessment: We will assess the severity and provide an initial response within 5 business days
- Fix: We will work on a fix and keep you informed of progress
- Disclosure: We will coordinate disclosure with you after the fix is released
We support the following versions with security updates:
| Version | Supported |
|---|---|
| 0.1.x | Yes (current) |
| < 0.1 | No |
We support the latest minor release of the current major version. Older versions may not receive security fixes.
obsync includes several built-in security mechanisms:
- JWT authentication with rotating refresh tokens
- bcrypt password hashing (cost factor 12)
- Device management with revocation support
- Path traversal protection on all file operations
- Hash verification for file integrity during upload and download
- Optimistic concurrency control to prevent data races
- Disk space monitoring to prevent denial-of-service via storage exhaustion
We do not currently have a bug bounty program. We appreciate responsible disclosure and will credit security researchers in our advisories.
- The server does not use TLS natively. Use a reverse proxy (nginx, Caddy, etc.) for TLS termination in production.
- JWT secrets are auto-generated on first run and stored in the data directory. Protect the data directory with appropriate filesystem permissions.
- The WebSocket endpoint does not enforce origin restrictions. Deploy behind a reverse proxy if origin validation is required.