We take security seriously at Glinr. If you discover a security vulnerability in GlinrDock, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities via:
- Email: security@glinr.dev
- Subject:
[SECURITY] GlinrDock Vulnerability Report
When reporting a vulnerability, please provide:
- Description - Clear description of the vulnerability
- Steps to Reproduce - Detailed reproduction steps
- Impact Assessment - Potential impact and affected systems
- Proof of Concept - If available, include PoC code (responsibly)
- Suggested Fix - If you have ideas for remediation
- Contact Info - How we can reach you for follow-up
- Initial Response: Within 24 hours
- Triage: Within 3 business days
- Status Updates: Weekly until resolved
- Fix Timeline: Varies by severity (see below)
We use CVSS v3.1 scoring with the following response timelines:
| Severity | Score | Response Time | Public Disclosure |
|---|---|---|---|
| Critical | 9.0-10.0 | 24-48 hours | After fix release |
| High | 7.0-8.9 | 3-7 days | After fix release |
| Medium | 4.0-6.9 | 7-14 days | After fix release |
| Low | 0.1-3.9 | 14-30 days | After fix release |
We believe in recognizing security researchers who help keep GlinrDock secure:
- Security Hall of Fame - Public recognition (with permission)
- CVE Credits - Appropriate credit in CVE records
- Early Access - Beta access to new features
- Swag - GlinrDock merchandise for significant findings
Note: We do not currently offer monetary bug bounties.
# Use a reverse proxy with TLS termination
# Example with nginx:
server {
listen 443 ssl http2;
server_name glinrdock.yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Restrict direct access to GlinrDock
sudo ufw deny 8080 # Block external access to direct port
sudo ufw allow 'Nginx Full' # Allow HTTPS through nginx# Generate cryptographically secure admin token
ADMIN_TOKEN=$(openssl rand -hex 32)
# Set in configuration
echo "ADMIN_TOKEN=$ADMIN_TOKEN" | sudo tee -a /etc/glinrdock/glinrdock.conf
# Secure the configuration file
sudo chown root:glinrdock /etc/glinrdock/glinrdock.conf
sudo chmod 640 /etc/glinrdock/glinrdock.conf# Create dedicated user with minimal privileges
sudo useradd --system --user-group --home-dir /var/lib/glinrdock --shell /bin/false glinrdock
# Secure data directories
sudo mkdir -p /var/lib/glinrdock/{data,logs}
sudo chown -R glinrdock:glinrdock /var/lib/glinrdock
sudo chmod 750 /var/lib/glinrdock
sudo chmod 640 /var/lib/glinrdock/data/*
# Secure log files
sudo chmod 640 /var/lib/glinrdock/logs/*# Enable Docker content trust
export DOCKER_CONTENT_TRUST=1
# Use user namespaces (if available)
echo '{"userns-remap": "default"}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
# Restrict Docker socket access
sudo chmod 660 /var/run/docker.sock
sudo chown root:docker /var/run/docker.sock{
"services": {
"secure-app": {
"image": "nginx:1.25-alpine",
"user": "nginx",
"read_only": true,
"tmpfs": ["/tmp", "/var/cache/nginx"],
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": ["ALL"],
"cap_add": ["NET_BIND_SERVICE"]
}
}
}{
"services": {
"resource-limited": {
"image": "myapp:latest",
"deploy": {
"resources": {
"limits": {
"cpus": "0.5",
"memory": "512M"
},
"reservations": {
"cpus": "0.25",
"memory": "256M"
}
}
}
}
}
}# Create isolated networks for different environments
docker network create --driver bridge --subnet=172.20.0.0/16 production
docker network create --driver bridge --subnet=172.21.0.0/16 staging# GlinrDock configuration
GLINRDOCK_LOG_LEVEL=info
GLINRDOCK_AUDIT_LOG=true
GLINRDOCK_AUDIT_FILE=/var/lib/glinrdock/logs/audit.log# Monitor suspicious activity
sudo tail -f /var/lib/glinrdock/logs/audit.log | grep -E "(FAILED_AUTH|UNAUTHORIZED|ERROR)"
# Set up log rotation
echo '/var/lib/glinrdock/logs/*.log {
daily
missingok
rotate 30
compress
notifempty
create 640 glinrdock glinrdock
}' | sudo tee /etc/logrotate.d/glinrdock# Monitor for unusual container activity
docker events --filter event=start --filter event=stop --format "{{.Time}} {{.Action}} {{.Actor.Attributes.name}}"
# Resource monitoring
docker stats --no-stream --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"- Authentication Required - All API endpoints require valid tokens
- Input Validation - Strict validation of all user inputs
- SQL Injection Protection - Parameterized queries and ORM usage
- XSS Protection - Output encoding and CSP headers
- CSRF Protection - Token-based CSRF protection
- Rate Limiting - Built-in request rate limiting
- Audit Logging - Comprehensive operation logging
- Privilege Escalation Prevention - Containers run with least privileges
- Resource Constraints - CPU, memory, and I/O limits enforced
- Network Isolation - Containers isolated by default
- Image Verification - Support for signed images
- Security Scanning - Integration with vulnerability scanners
- Encryption at Rest - Database encryption support
- Secure Communications - TLS for all external communications
- Secret Management - Secure handling of sensitive data
- Backup Encryption - Encrypted backup support
- Key Rotation - Regular token rotation capabilities
- Immediately rotate all admin tokens
- Review audit logs for suspicious activity
- Update to latest GlinrDock version
- Report the incident to security@glinr.dev
- Document all findings and remediation steps
- Security Team: security@glinr.dev
- Critical Issues: security+urgent@glinr.dev (24/7 monitoring)
# Emergency shutdown
sudo systemctl stop glinrdock.service
docker-compose down
# Backup current state
sudo tar -czf /tmp/glinrdock-incident-$(date +%Y%m%d).tar.gz /var/lib/glinrdock
# Review logs
sudo journalctl -u glinrdock.service --since "1 hour ago" > /tmp/incident-logs.txtGlinrDock is designed with compliance frameworks in mind:
- Comprehensive audit logging
- Access controls and authentication
- Data encryption capabilities
- Incident response procedures
- Risk management features
- Security monitoring capabilities
- Data classification support
- Business continuity features
- Data portability (backup/restore)
- Right to erasure capabilities
- Data processing transparency
- Privacy by design principles
We provide security updates through:
- GitHub Security Advisories
- Email notifications (for registered users)
- RSS Feed - Security-only updates
- API endpoint -
/v1/security/advisories
# Enable automatic security updates (systemd)
sudo systemctl enable --now glinrdock-updater.timer
# Manual update check
glinrdockd update --check --security-only# Verify release signatures
gpg --verify glinrdockd-linux-amd64.sig glinrdockd-linux-amd64
# Check checksums
sha256sum -c glinrdockd-linux-amd64.sha256For security-related questions or clarifications on this policy:
- Email: security@glinr.dev
- Documentation: Security Best Practices
- Community: Security Discussions
Last Updated: September 2024