Responsible disclosure
Security Policy
We take security seriously. If you discover a vulnerability in Admina, please report it responsibly so we can address it before public disclosure.
Supported versions
Security fixes are applied to the latest stable release. We strongly recommend always running the most recent version of Admina.
| Version | Supported |
|---|---|
v0.2.x (latest) | โ Active |
v0.1.x | โ End of life |
How to report a vulnerability
Please do not open a public GitHub issue for security vulnerabilities. Instead, use one of the following private channels:
What to include in your report
- A clear description of the vulnerability and its potential impact
- Steps to reproduce (proof of concept, if available)
- Affected version(s) and configuration
- Any suggested mitigations or patches
The more detail you provide, the faster we can triage and patch.
Our commitment to you
We will acknowledge receipt of your report within 48 hours.
We aim to confirm, classify, and begin remediation within 7 days.
With your permission, we will publicly credit you in the release notes and security advisory.
We will coordinate with you on timing before publishing the advisory. We follow a 90-day disclosure window.
Scope
The following are in scope for security reports:
- The Admina proxy server (
admina/Python package) - The Rust core engine (
admina-engine) - Authentication and authorization mechanisms (JWT, API keys)
- Data handling: PII redaction, forensic black box integrity
- Docker images published under
ghcr.io/admina-org/admina
Out of scope: the admina.org website itself, third-party dependencies (report those upstream).
Safe harbour
We consider good-faith security research to be authorized and will not pursue legal action against researchers who follow this policy. We ask that you avoid accessing or modifying data belonging to other users, disrupting production systems, or publicly disclosing before the coordinated disclosure window has elapsed.