Security updates are provided for the following versions:

DO NOT create public GitHub issues for security vulnerabilities.

Instead, please use one of these channels:

1. GitHub Private Vulnerability Reporting (preferred): Click "Report a vulnerability" on the Security Advisories page
2. Email: security@opencloudtouch.org

You should receive a response within 48 hours. If the issue is confirmed, we will:

1. Develop a fix in a private repository
2. Release a security patch
3. Publish a security advisory
4. Credit you in the release notes (if desired)

OpenCloudTouch is designed for trusted local networks only:

• ✅ In-scope: Home LAN, private network
• ❌ Out-of-scope: Public internet, untrusted networks

Assumption: All devices on the LAN are trusted.

OpenCloudTouch does not implement authentication. This is intentional:

• Target use case: Single household/LAN
• SoundTouch devices themselves have no authentication
• Adding auth would complicate local control

⚠️ WARNING: Never expose OpenCloudTouch directly to the internet without reverse proxy authentication.

Default CORS origins allow local development:

cors_origins:
  - "http://localhost:3000"
  - "http://localhost:5173"
  - "http://localhost:7777"

Production: Update config.yaml to restrict origins:

cors_origins:
  - "http://truenas.local:7777"
  - "http://192.168.1.50:7777"

Never use ["*"] in production - this allows any origin to access your API.

Container runs as UID 1000 (non-root):

RUN adduser --disabled-password --gecos '' --uid 1000 octouch
USER octouch

Recommended deployment uses read-only root filesystem:

podman run --read-only \
  -v /data/oct:/data:rw \
  opencloudtouch:latest

Only /data volume needs write access.

• Exposed port: 7777 only (HTTP API + frontend)
• No SSH, no shell access by default
• Minimal base image (python:3.13-slim-bookworm)

• Dependabot: Quarterly version updates, immediate security updates
• Trivy: Container vulnerability scanning in CI/CD
• Bandit: Python security linter (pre-commit hook)

Production dependencies use minimum version constraints:

# requirements.txt
fastapi >=0.115
uvicorn[standard] >=0.32

Exact versions are locked via pip freeze in the Docker build for reproducibility.

API runs on HTTP, not HTTPS.

Mitigation: Use reverse proxy (nginx, Caddy) for TLS termination:

server {
  listen 443 ssl;
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;
  
  location / {
    proxy_pass http://localhost:7777;
  }
}

SQLite database has limited concurrent write support.

Impact: Not a security issue but may cause "database locked" errors under heavy load.

Mitigation: Single-user application; acceptable risk.

API has no rate limits.

Impact: Local network DoS possible.

Mitigation: Firewall rules at network level; acceptable for trusted LAN.

Place OpenCloudTouch on IoT VLAN separate from main network:

Main LAN: 192.168.1.0/24
IoT VLAN: 192.168.10.0/24 (SoundTouch devices + OpenCloudTouch)

Restrict access to OpenCloudTouch port:

# Allow only from specific subnet
iptables -A INPUT -p tcp --dport 7777 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j DROP

Enable Dependabot PRs and monitor for security advisories:

# .github/dependabot.yml (already configured)
version: 2
updates:
  - package-ecosystem: "pip"
    schedule:
      interval: "quarterly"  # security updates are immediate

Verify image signatures before running:

# Pull from official registry
podman pull ghcr.io/yourorg/opencloudtouch:v0.2.0

# Inspect image for vulnerabilities
podman inspect opencloudtouch:latest | grep "securityopt"

We follow industry-standard disclosure timeline:

1. Day 0: Vulnerability reported privately
2. Day 1-7: Confirmation and triage
3. Day 7-30: Develop and test fix
4. Day 30: Public disclosure + patch release

Critical vulnerabilities may be expedited.

Before deploying OpenCloudTouch:

• Deploy on trusted LAN only (not internet-facing)
• Update cors_origins in config.yaml (remove wildcards)
• Use reverse proxy with HTTPS if remote access needed
• Enable Dependabot alerts in GitHub repository
• Review container image scan results in CI
• Set firewall rules to restrict port 7777 access
• Use read-only container filesystem
• Keep container image updated (watch GitHub releases)

We thank security researchers who responsibly disclose vulnerabilities.

Hall of Fame: (future researcher credits will appear here)

Last Updated: 2026-02-13
Next Review: 2026-08-13 (6 months)