Files

T

Ulas be8af0f154 docs: overhaul README for professional project presentation

Restructure README with compelling hero section, "Why Oikos?" philosophy
section, two-column feature grid, tablet screenshot gallery, and streamlined
quick start. Add GitHub Private Vulnerability Reporting link to SECURITY.md.
Include social preview HTML template for GitHub social card generation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-31 17:34:23 +02:00

1.6 KiB

Raw Blame History

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Oikos, please report it responsibly. Do not open a public issue.

Instead, use GitHub Private Vulnerability Reporting to submit your report. This creates a private advisory visible only to you and the maintainers.

Include:

Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if you have one)

You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.

Scope

Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:

The server is not directly exposed to the public internet without Nginx + TLS
The admin controls all user accounts (no public registration)
The host machine itself is reasonably secured

Vulnerabilities that require physical access to the host or root on the server are generally out of scope.

Security Features

Session-based auth with httpOnly, SameSite=Strict, Secure cookies
CSRF protection via Double Submit Cookie on all state-changing requests
Passwords hashed with bcrypt (cost factor 12)
Login rate limiting (5 attempts/min per IP)
API rate limiting (300 requests/min per IP)
Content Security Policy via Helmet (self-only)
Optional SQLCipher AES-256 database encryption
No API endpoint accessible without session auth (except login)

Supported Versions

Only the latest version on main receives security updates. There are no LTS branches.