We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of Paperless-NGX Deduplication Tool seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should never be reported through public GitHub issues.
Please report security vulnerabilities by emailing:
- Email: [email protected]
- Subject: [SECURITY] Paperless-NGX Dedupe Vulnerability
Include the following information:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment and potential attack scenarios
- Initial Response: Within 48 hours
- Vulnerability Assessment: Within 1 week
- Patch Development: Based on severity
- Critical: Within 48 hours
- High: Within 1 week
- Medium: Within 2 weeks
- Low: Next regular release
- Security report received and acknowledged
- Vulnerability confirmed and assessed
- Fix developed and tested
- Security advisory prepared
- Patch released with advisory
- Public disclosure (after users have time to update)
When deploying Paperless-NGX Deduplication Tool:
- Always change the default
SECRET_KEYin production - Use strong API tokens for paperless-ngx authentication
- Never commit credentials to version control
- Use environment variables or secrets management
- Run behind a reverse proxy (nginx, traefik) with TLS
- Restrict database and Redis ports to local network only
- Use firewall rules to limit access to necessary ports
- Consider VPN access for remote administration
- Regularly update base images
- Run containers as non-root users (already configured)
- Use read-only file systems where possible
- Implement resource limits
- Encrypt sensitive data at rest
- Use encrypted connections to paperless-ngx
- Regular backups of PostgreSQL database
- Secure backup storage
- Enable application logs
- Monitor for unusual activity
- Set up alerts for failed authentication attempts
- Regular security audits
The application includes these security features:
- Non-root containers: Services run as unprivileged users
- Health checks: Automatic detection of service issues
- Rate limiting: API rate limiting to prevent abuse
- Input validation: Pydantic models for data validation
- SQL injection protection: SQLAlchemy ORM with parameterized queries
- XSS protection: React's built-in XSS protection
- CORS configuration: Restricted cross-origin requests
- Automated dependency updates via Dependabot
- Weekly security scanning with Trivy
- SBOM (Software Bill of Materials) generation
- Regular base image updates
- This tool requires API access to your paperless-ngx instance
- Ensure paperless-ngx is properly secured
- Use API tokens instead of username/password when possible
- Regularly rotate API tokens
- Redis instance should not be exposed to the internet
- Consider Redis AUTH if deploying in shared environments
- Monitor Redis memory usage to prevent DoS
- Use strong passwords for database users
- Restrict database access to application only
- Regular backups and test restore procedures
- Enable SSL for remote connections
- Changed default SECRET_KEY
- Configured TLS/HTTPS
- Set strong database passwords
- Restricted network access
- Enabled logging and monitoring
- Regular backup schedule
- Update schedule for dependencies
- Security scanning in CI/CD
- Incident response plan
For security concerns, contact:
- Security Email: [email protected]
- PGP Key: Available upon request
We appreciate responsible disclosure and will acknowledge security researchers who:
- Follow this security policy
- Allow reasonable time for patching
- Avoid privacy violations or data destruction
- Act in good faith
Thank you for helping keep Paperless-NGX Deduplication Tool secure!