Security Policy
Supported Versions
We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
| < 0.0.1 | ❌ |
Reporting a Vulnerability
We take the security of Wanaku seriously. If you believe you have found a security vulnerability, please report it to us responsibly (via contact@wanaku.ai).
How to Report
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing the project maintainers. You can find contact information in the project repository.
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
What to Expect
- You will receive an acknowledgment within 48 hours
- We will investigate and provide an estimated timeline for a fix
- We will notify you when the vulnerability is fixed
- We will publicly disclose the vulnerability after a fix is released
Security Best Practices
When deploying Wanaku, please follow these security best practices:
Authentication and Authorization
- Always use Keycloak or another OIDC provider for authentication
- Change default admin passwords immediately after setup
- Regenerate client secrets for the
wanaku-serviceclient in production - Use strong, unique passwords for all service accounts
Network Security
- Enable TLS/HTTPS for all external endpoints in production
- Configure CORS appropriately for your environment
- Use network policies to restrict access between services
- Never expose Keycloak or the router backend directly to the internet without proper security controls
Secret Management
- Never commit secrets, passwords, or API keys to version control
- Use Kubernetes Secrets, Sealed Secrets, or external secret management tools
- Rotate secrets regularly
- Use environment-specific secrets for development and production
Container Security
- Always use the latest stable version of Wanaku images
- Scan container images for vulnerabilities regularly
- Run containers with minimal privileges
- Use read-only file systems where possible
Monitoring and Auditing
- Enable access logging for the router backend
- Monitor authentication failures and unusual access patterns
- Review audit logs regularly
- Set up alerts for suspicious activity
For more security configuration options, see the Configuration Guide.
Acknowledgments
We appreciate the security research community's efforts in responsibly disclosing vulnerabilities.