Security Policy¶
Reporting Security Vulnerabilities¶
GLINCKER LLC takes security seriously. If you discover a security vulnerability in GlinrDock, please report it responsibly.
Coordinated Disclosure Process¶
DO NOT report security vulnerabilities through public GitHub issues, discussions, or any public channels.
Instead, please email security details to:
security@glincker.com
Include the following information: - Description of the vulnerability - Steps to reproduce the issue - Potential impact assessment - Suggested fix (if available)
Response Timeline¶
- Acknowledgment: Within 24 hours
- Initial assessment: Within 72 hours
- Regular updates: Every 5 business days
- Fix timeline: Varies by severity (see below)
Severity Levels¶
| Severity | Response Time | Examples |
|---|---|---|
| Critical | 24-48 hours | Remote code execution, authentication bypass |
| High | 1 week | Privilege escalation, information disclosure |
| Medium | 2-4 weeks | Limited information disclosure, DoS |
| Low | Next release | Minor information leaks, configuration issues |
Security Best Practices¶
Installation Security¶
Strong Authentication:
Network Security:
# Bind to localhost only in production
GLINRDOCK_BIND_ADDR="127.0.0.1:8080"
# Use reverse proxy with TLS
# See INSTALL_DOCKER.md for nginx/traefik examples
File Permissions:
# Restrict config file access
sudo chmod 600 /etc/glinrdock/config.toml
sudo chown glinrdock:glinrdock /etc/glinrdock/config.toml
Docker Security¶
Container Hardening:
# Run with read-only filesystem
docker run --read-only --tmpfs /tmp ...
# Drop capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ...
# Use non-root user
docker run --user 1000:1000 ...
Docker Socket Security:
# Restrict Docker socket access (if needed)
sudo chmod 660 /var/run/docker.sock
sudo chown root:docker /var/run/docker.sock
Production Deployment¶
Reverse Proxy with TLS: - Always use HTTPS in production - Configure proper SSL/TLS certificates - Implement proper HTTP security headers
Network Isolation: - Use Docker networks for container isolation - Implement firewall rules to restrict access - Consider VPN or private networks for administrative access
Regular Updates: - Subscribe to security announcements - Apply security patches promptly - Monitor for new releases
Authentication and Authorization¶
Token Management: - Use strong, randomly generated admin tokens - Rotate tokens periodically - Never expose tokens in logs or configuration files - Store tokens securely (environment variables, secrets management)
Access Control: - Implement role-based access control (RBAC) - Use principle of least privilege - Regular audit of user permissions
Monitoring and Logging¶
Security Logging: - Enable audit logging - Monitor authentication attempts - Log administrative actions - Set up alerting for suspicious activities
Log Security: - Protect log files from unauthorized access - Implement log rotation and retention policies - Consider centralized logging solutions
Supported Versions¶
| Version | Supported |
|---|---|
| Latest stable | ✅ |
| Previous minor | ✅ (security fixes only) |
| Older versions | ❌ |
Security Features¶
Built-in Security¶
- Token-based authentication
- RBAC (Role-Based Access Control)
- Audit logging
- Input validation and sanitization
- HTTPS support
- Container isolation
Security Scanning¶
All releases undergo: - Static code analysis - Dependency vulnerability scanning - Container image security scanning - Penetration testing (major releases)
Compliance¶
GlinrDock is designed with security compliance in mind: - SOC 2 Type II considerations - ISO 27001 best practices - NIST Cybersecurity Framework alignment
Security Resources¶
Documentation¶
External Resources¶
Security Contact¶
For security-related questions or concerns:
- Security issues: security@glincker.com
- General questions: support@glincker.com
- Documentation: GitHub Issues
Acknowledgments¶
We thank the security community for responsible disclosure and helping make GlinrDock more secure.
Last updated: 2025-01-01
Next review: 2025-07-01