Files
mal/SECURITY.md

2.4 KiB

Security Policy

Supported Versions

This is a personal portfolio project, so there is no formal long-term support schedule. Security fixes are applied to the current main branch when issues are confirmed and within the practical maintenance capacity of the project.

Reporting A Vulnerability

Please do not open a public issue for a security vulnerability.

Report security concerns privately to the repository maintainer. Include as much detail as you can:

  • a description of the vulnerability;
  • steps to reproduce the issue;
  • affected routes, commands, files, or configuration;
  • the potential impact;
  • any suggested fix or mitigation, if you have one.

You can expect a best-effort response acknowledging the report, followed by validation and a fix when the issue is reproducible and in scope.

Security Scope

The most important security areas for this project are:

  • local authentication and session handling;
  • watchlist and playback progress data;
  • playback proxy tokens and signed stream access;
  • subtitle and playlist proxying;
  • external provider integration boundaries;
  • SQLite database access and migrations;
  • configuration loaded from environment variables or .env files.

Reports involving these areas are especially useful.

Out Of Scope

The following are generally out of scope unless they expose a direct application vulnerability:

  • issues that require full local machine access;
  • denial-of-service reports against a local development server;
  • vulnerabilities in third-party services outside this repository;
  • missing production hardening for deployments that are not documented or supported by the project;
  • social engineering or physical attacks.

Operational Notes

This application is designed to be self-hosted and local-first. If you deploy it beyond a private local environment, you are responsible for the surrounding production controls, including TLS, network access, backups, secrets management, reverse proxy configuration, logging retention, and dependency monitoring.

Use a strong PLAYBACK_PROXY_SECRET if playback proxy token signing is enabled. Do not commit real secrets, provider tokens, session data, or production databases to the repository.

Dependency Security

Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal local checks before merging:

just check

Security-related dependency updates should be kept small and reviewed separately when possible.