|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +Only the latest stable release receives security patches. We strongly recommend always keeping OpenList up to date. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| -------------------- | ------------------ | |
| 9 | +| Latest stable (v4.x) | :white_check_mark: | |
| 10 | +| Older versions | :x: | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +**Please do NOT report security vulnerabilities through public GitHub Issues.** |
| 15 | + |
| 16 | +If you discover a security vulnerability in OpenList, please report it responsibly by using one of the following channels: |
| 17 | + |
| 18 | +- **GitHub Private Security Advisory** (preferred): [Submit here](https://github.com/OpenListTeam/OpenList/security/advisories/new) |
| 19 | +- **Telegram**: Contact a maintainer privately via [@OpenListTeam](https://t.me/OpenListTeam) |
| 20 | + |
| 21 | +When reporting, please include as much of the following as possible: |
| 22 | + |
| 23 | +- A description of the vulnerability and its potential impact |
| 24 | +- The affected version(s) |
| 25 | +- Step-by-step instructions to reproduce the issue |
| 26 | +- Any proof-of-concept code or screenshots (if applicable) |
| 27 | +- Suggested mitigation or fix (optional but appreciated) |
| 28 | + |
| 29 | +## Security Best Practices for Users |
| 30 | + |
| 31 | +To keep your OpenList instance secure: |
| 32 | + |
| 33 | +- Always update to the latest release. |
| 34 | +- Use a strong, unique admin password and change it after first login. |
| 35 | +- Enable HTTPS (TLS) for your deployment — do **not** expose OpenList over plain HTTP on the public internet. |
| 36 | +- Limit exposed ports using a reverse proxy (e.g., Nginx, Caddy). |
| 37 | +- Set up access controls and avoid enabling guest access unless necessary. |
| 38 | +- Regularly review mounted storage permissions and revoke unused API tokens. |
| 39 | +- When using Docker, avoid running the container as root if possible. |
| 40 | + |
| 41 | +## Acknowledgments |
| 42 | + |
| 43 | +We sincerely thank all security researchers and community members who responsibly disclose vulnerabilities and help make OpenList safer for everyone. |
| 44 | + |
| 45 | +--- |
| 46 | + |
| 47 | +# 安全政策 |
| 48 | + |
| 49 | +## 支持的版本 |
| 50 | + |
| 51 | +我们仅对最新稳定版本提供安全补丁。强烈建议始终保持 OpenList 为最新版本。 |
| 52 | + |
| 53 | +| 版本 | 是否支持 | |
| 54 | +| ------------------ | ------------------ | |
| 55 | +| 最新稳定版(v4.x) | :white_check_mark: | |
| 56 | +| 旧版本 | :x: | |
| 57 | + |
| 58 | +## 报告漏洞 |
| 59 | + |
| 60 | +**请勿通过公开的 GitHub Issues 报告安全漏洞。** |
| 61 | + |
| 62 | +如果您在 OpenList 中发现安全漏洞,请通过以下渠道之一负责任地进行报告: |
| 63 | + |
| 64 | +- **GitHub 私密安全公告**(推荐):[点击提交](https://github.com/OpenListTeam/OpenList/security/advisories/new) |
| 65 | +- **Telegram**:通过 [@OpenListTeam](https://t.me/OpenListTeam) 私信联系维护者 |
| 66 | + |
| 67 | +报告时,请尽量提供以下信息: |
| 68 | + |
| 69 | +- 漏洞描述及其潜在影响 |
| 70 | +- 受影响的版本 |
| 71 | +- 复现问题的详细步骤 |
| 72 | +- 概念验证代码或截图(如有) |
| 73 | +- 建议的缓解措施或修复方案(可选,但非常欢迎) |
| 74 | + |
| 75 | +## 用户安全最佳实践 |
| 76 | + |
| 77 | +为保障您的 OpenList 实例安全: |
| 78 | + |
| 79 | +- 始终更新至最新版本。 |
| 80 | +- 使用强且唯一的管理员密码,并在首次登录后立即修改。 |
| 81 | +- 为您的部署启用 HTTPS(TLS)—— **请勿**在公网上以明文 HTTP 方式暴露 OpenList。 |
| 82 | +- 使用反向代理(如 Nginx、Caddy)限制对外暴露的端口。 |
| 83 | +- 配置访问控制,非必要情况下不要开启访客访问。 |
| 84 | +- 定期检查已挂载存储的权限,并撤销未使用的 API 令牌。 |
| 85 | +- 使用 Docker 部署时,尽可能避免以 root 用户运行容器。 |
| 86 | + |
| 87 | +## 致谢 |
| 88 | + |
| 89 | +我们衷心感谢所有负责任地披露漏洞、帮助 OpenList 变得更加安全的安全研究人员和社区成员。 |
0 commit comments