Security

Email [email protected] with a description of the vulnerability, steps to reproduce, the affected component, and your contact info. Please do not open a public GitHub issue for security vulnerabilities.

• We acknowledge reports within 3 business days.
• For critical issues, we provide a fix or mitigation plan within 30 days.
• Default coordinated disclosure window: 90 days from the report date.

In scope: *.deploysapp.com (api, dashboard, admin, mymail, webmail, status) and the DeploysApp GitHub repository.

Out of scope: tenant-deployed user services, social engineering, physical attacks, denial-of-service attacks, and third-party dependency issues that are not exploitable in our deployment.

Researchers acting in good faith and following this policy will not be pursued legally. We won't take action against you for testing within scope and reporting responsibly.

We do not currently offer monetary rewards. We do offer public credit (with your permission) once a fix is deployed.

• HTTPS everywhere — Let's Encrypt certificates via Traefik, automatic renewal.
• Container isolation — tenant containers run on the traefik_ingress network, separated from the platform's internal network.
• Encrypted backups — managed backup feature with point-in-time recovery.
• MFA support — TOTP-based two-factor authentication for accounts.
• Docker socket separation — API and build worker have scoped access via docker-socket-proxy, not direct socket mounts.