Security fixes are generally applied to the latest main branch state.
Please do not open public issues for sensitive vulnerabilities.
Instead, report security issues privately to the maintainers with:
- A clear description of the issue
- Steps to reproduce
- Expected impact
- Suggested remediation (if available)
You should receive an acknowledgement as soon as maintainers review the report.
- Change default
ENCRYPTION_KEYinrev_core/.envbefore storing real provider tokens. - Change default
SECRET_KEYinadmin_pakage/admin_core/.env. - Protect
.envfiles and never commit secrets to version control. - Run behind TLS with restricted network access.
- Rotate provider API tokens and proxy access tokens periodically.
- Keep Go and Python dependencies updated.
- Monitor
/metricsand/statusendpoints for anomalies.