The following versions of Coolify Auto-Upgrade are currently supported with security updates:

The Coolify Auto-Upgrade team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.

Please do NOT report security vulnerabilities through public GitHub issues.

1. Send an email to the project maintainers through GitHub's private vulnerability reporting
2. Include the following information:
   • A description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact of the vulnerability
   • Suggested mitigation (if any)

You can also report security vulnerabilities privately through GitHub's Security Advisory feature.

• Initial Response: We will acknowledge your report within 48 hours
• Investigation: We will investigate the vulnerability and validate the findings
• Resolution: We will work on a fix and provide a timeline for release
• Disclosure: We will coordinate with you on the public disclosure of the vulnerability

Users of Coolify Auto-Upgrade should follow these security best practices:

1. Run as a dedicated user: Do not run the upgrade script as root unless absolutely necessary
2. Review logs regularly: Check /var/log/coolify-auto-upgrade.log for any suspicious activity
3. Keep backups: Ensure your backup system is working correctly
4. Use TLS: When connecting to Docker registries, ensure HTTPS is used
5. Limit access: Restrict access to the upgrade scripts and configuration files
6. Verify images: After upgrade, verify Docker image signatures when available
7. Lock file monitoring: The script uses a lock file at /var/run/coolify-auto-upgrade.lock - ensure it's properly secured

Coolify Auto-Upgrade includes several security features:

• Symlink protection: Validates paths to prevent symlink attacks
• Input validation: All user inputs are validated before processing
• Lock file management: Prevents concurrent execution with stale lock detection
• Signal handlers: Proper cleanup on SIGINT/SIGTERM/EXIT/ERR
• TOCTOU protection: Path validation with real path resolution
• No silent failures: Proper error handling without dangerous && || patterns

This project depends on:

• Docker: Keep Docker daemon updated with security patches
• curl: Used for API calls - keep updated
• jq: Used for JSON parsing - keep updated
• bash: Version 4.0+ required

Regularly update these dependencies to receive security fixes.

The codebase is regularly checked for security issues:

• ShellCheck: Static analysis for shell script vulnerabilities
• Manual review: All code is reviewed before merge
• Input validation: Comprehensive validation library (lib/validation.sh)
• Safety checks: Pre-flight safety checks (lib/safety.sh)

For security-related questions that are not vulnerability reports, please open a GitHub issue with the security label.

We credit security researchers in our security advisories and release notes for their responsible disclosure.

Thank you for helping keep Coolify Auto-Upgrade safe!