At Webnestify, we take the security of our projects seriously. If you discover any security vulnerabilities or have concerns regarding the security of this repository, we encourage you to report them responsibly.

We provide security updates for the following:

We recommend always using the latest version of these templates.

1. Do NOT disclose the vulnerability publicly (e.g., in GitHub Issues, forums, or social media)
2. Navigate to the Security tab of this repository on GitHub
3. Click "Report a vulnerability" to create a private security advisory
4. Provide a detailed description including:
   • Affected template(s) or file(s)
   • Steps to reproduce the issue
   • Potential impact assessment
   • Proof of Concept (PoC) if applicable
   • Suggested fix (if you have one)

After receiving your report, we will:

• Acknowledge receipt within 48 hours
• Investigate and assess the vulnerability
• Communicate progress and updates with you
• Credit you in the fix (unless you prefer anonymity)
• Release a patch as soon as possible

When deploying these templates, please follow these guidelines:

• Never commit .env files with real credentials to version control
• Use strong, unique passwords for all services
• Rotate credentials periodically
• Use a secrets manager for production environments

• Always use a reverse proxy with HTTPS (templates bind to localhost by default)
• Keep firewall rules restrictive — only expose necessary ports
• Use Docker networks to isolate services
• Consider using a VPN for administrative access

• Keep Docker and all images updated regularly — docker compose pull && docker compose up -d against the pinned tags in each template's compose file
• Re-run the Trivy scan after upgrading; the methodology is documented in AUDIT.md
• Review container logs for suspicious activity
• The full hardening baseline (cap_drop: ALL, no-new-privileges, ipc: private, internal-only DB networks, tmpfs for ephemeral writes, per-container resource limits) is already configured in every template

• Regularly backup persistent volumes and databases
• Test your backup restoration process
• Store backups in a separate location

This security policy covers:

• ✅ All Docker Compose configurations in this repository
• ✅ Environment variable templates and examples
• ✅ Initialization scripts (init-data.sh)
• ✅ Documentation that could lead to insecure configurations

• ❌ Vulnerabilities in upstream Docker images (report to the respective maintainers)
• ❌ Issues in third-party applications themselves (Jellyfin, n8n, etc.)
• ❌ User misconfiguration or failure to follow security guidelines
• ❌ Self-hosted environment security (your responsibility)

If you find a vulnerability in an upstream project, please report it directly to that project's maintainers.

Every template ships with the same hardened baseline:

The repo publishes AUDIT.md — a Trivy CVE scan of every image in every docker-compose.yml, triaged against the hardened configuration above. Each finding is tagged [ACTION], [WATCH], [CONDITIONAL], or [NOISE] with the reasoning visible inline, so you can challenge any individual call. The audit is timestamped (scanner version + DB version + scan date) and refreshed each time the templates change materially.

Re-run it locally with:

trivy image --severity CRITICAL,HIGH,MEDIUM,LOW --scanners vuln <image>:<tag>

Please note:

• As an individual developer, response times may vary based on complexity
• Security in self-hosted environments is ultimately the user's responsibility
• These templates are provided as-is; please review them before production use
• We cannot guarantee immediate patches for all vulnerabilities

For security-related inquiries that don't fit the vulnerability report process:

• Email: contact@webnestify.cloud
• Website: webnestify.cloud/contact

Thank you for helping keep this project and its users secure. Your responsible disclosure is greatly appreciated.