Skip to content

Security: DZBuild-com/ownz

Security

SECURITY.md

Security Policy

We take the security of ownz seriously. Thank you for helping keep the project and the people who self-host it safe.

Supported versions

Security fixes are provided for the latest released version of ownz on the main branch. We recommend always running the most recent release.

Version Supported
Latest release
Older releases

If you're running an older version, please upgrade before reporting an issue — the vulnerability may already be fixed.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests. Public disclosure before a fix is available puts every self-hosted install at risk.

Instead, report privately through GitHub Security Advisories:

➡️ Open a private security advisory

This creates a confidential channel between you and the maintainers where we can discuss, confirm, and coordinate a fix. If you're unable to use GitHub Security Advisories, you may email us at security@ownz.net.

What to include

A good report helps us confirm and fix the issue quickly. Please include as much of the following as you can:

  • A clear description of the vulnerability and its impact
  • The affected version, commit, or component (e.g. server, dashboard, a specific block)
  • Step-by-step instructions to reproduce it
  • A proof-of-concept, if you have one
  • Any relevant configuration (for example, non-default environment variables that are required to trigger it)
  • Your assessment of severity, and any suggested remediation

Please do not run tests against installs you don't own, exfiltrate data, or degrade service for others while investigating.

What to expect

  • Acknowledgement: we aim to acknowledge your report within 3 business days.
  • Assessment: we'll investigate and provide an initial assessment, typically within 7 business days, and keep you updated as we work toward a fix.
  • Fix and disclosure: once a fix is ready, we'll release it and publish an advisory. We're happy to credit you for the discovery unless you'd prefer to remain anonymous.

We practice coordinated disclosure and ask that you give us reasonable time to release a fix before disclosing details publicly.

Scope

ownz is self-hosted and single-tenant — each install is run and operated by its owner, who sets their own credentials and environment variables (such as OWNER_EMAIL, OWNER_PASSWORD, SESSION_SECRET, and DATABASE_URL). Because of this:

  • In scope: vulnerabilities in the ownz code itself — for example authentication and session handling, authorization checks, injection, cross-site scripting, cross-site request forgery, insecure defaults, or the handling of uploaded and rendered content.
  • Out of scope: issues caused solely by a self-hoster's own environment or misconfiguration — for example a weak OWNER_PASSWORD, a leaked SESSION_SECRET, an exposed or unsecured PostgreSQL database, a missing TLS certificate, or outdated operating-system packages. Security depends in part on operators following good practices when deploying.

If you're unsure whether something is in scope, report it privately anyway and we'll help figure it out.

The hosted version

If you found an issue on the managed hosted service at ownz.net rather than in a self-hosted install, please still report it privately through the channels above and note that it applies to the hosted service.

Thank you for helping keep ownz and its community safe.

There aren't any published security advisories