| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
If you discover a security vulnerability in OpenLander, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
OpenLander controls Docker on the host and is intended for trusted self-hosted environments. Do not expose the dashboard or MCP endpoint publicly without authentication, TLS, and network-level protection.
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide a detailed description of the vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity
- Critical: Patch within 48 hours
- High: Patch within 1 week
- Medium/Low: Next regular release
Security issues we care about:
- Remote code execution
- Container escape
- Credential exposure (API keys, tokens)
- Unauthorized access to deployed services
- Path traversal or file system access
- Shell injection via user input
We follow coordinated disclosure. We will:
- Confirm the vulnerability
- Develop and test a fix
- Release the fix
- Credit the reporter (unless they prefer anonymity)
- Publish a security advisory