Security

Security policies and vulnerability reporting for Zoneweaver frontend.

Table of contents

  1. Security Policy
    1. Reporting a Vulnerability
      1. Preferred Method: Security Advisory
      2. What to Include
    2. Response Process
      1. Severity Levels
    3. Security Considerations for Zoneweaver API
      1. High-Risk Areas
      2. Configuration Security
    4. Best Practices for Users
    5. Security Features
    6. Acknowledgments
      1. Hall of Fame
    7. Updates to This Policy

Loading supported versions...

Security Policy

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in Zoneweaver, please report it responsibly:

Preferred Method: Security Advisory

  1. Go to the GitHub Security Advisory page
  2. Click “Report a vulnerability”
  3. Fill out the advisory form with detailed information
  4. Submit the advisory

What to Include

Please provide as much information as possible:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Affected versions (if known)
  • Suggested fix (if you have one)
  • Your contact information for follow-up questions

Response Process

Due to limited development resources, please understand that:

  • Initial Response: We aim to acknowledge receipt within 48-72 hours
  • Assessment: Initial assessment will be completed within 1 week
  • Resolution: Timeline depends on severity and complexity, typically 1-4 weeks
  • Disclosure: Coordinated disclosure after fix is available

Severity Levels

  • Critical: Immediate attention (RCE, privilege escalation)
  • High: Quick response needed (authentication bypass, data exposure)
  • Medium: Standard timeline (DoS, information disclosure)
  • Low: Lower priority (minor information leaks)

Security Considerations for Zoneweaver API

Given that Zoneweaver API manages system-level operations on OmniOS, please pay special attention to:

High-Risk Areas

  • API Key Authentication: Bypasses or privilege escalation
  • Zone Management: Unauthorized zone creation/modification/deletion
  • File System Operations: Path traversal or unauthorized file access
  • Command Execution: Any potential for command injection
  • Network Operations: Unauthorized network configuration changes

Configuration Security

  • Default Configurations: Insecure defaults
  • SSL/TLS Implementation: Certificate validation, cipher suites
  • CORS Configuration: Origin validation bypasses
  • Database Security: SQL injection, unauthorized access

Best Practices for Users

To maintain security:

  1. Keep Updated: Always run the latest stable version
  2. Secure Configuration: Follow the security configuration guide
  3. API Key Management: Rotate API keys regularly, use strong keys
  4. Network Security: Use HTTPS, restrict network access appropriately
  5. Monitor Logs: Watch for suspicious activity in application logs

Security Features

Zoneweaver API includes several security features:

  • API Key Authentication: Bcrypt-hashed keys with configurable rounds
  • CORS Protection: Whitelist-based origin validation
  • SSL/TLS Support: Configurable HTTPS with custom certificates
  • Input Validation: Parameter validation and sanitization
  • Audit Logging: API key usage tracking

Acknowledgments

We appreciate the security research community’s efforts in making Zoneweaver API more secure. Responsible disclosure helps protect all users.

Hall of Fame

Contributors who responsibly report security vulnerabilities will be acknowledged here (with their permission):

  • No vulnerabilities reported yet

Updates to This Policy

This security policy may be updated as the project evolves. Check back periodically for changes.

Remember: Security is a shared responsibility. Your vigilance and responsible reporting help keep the entire Zoneweaver community safe.