This policy covers the app templates in this repository. For security issues in the Lawn application itself, see the main Lawn repository.
- Default or hardcoded credentials that should be generated
- Container images with known critical vulnerabilities
- Ports exposed beyond localhost when they shouldn't be
- Insecure default configurations (e.g., authentication disabled)
- Secrets or tokens committed in template files
Do not open a public issue.
Use GitHub's private vulnerability reporting to submit a report:
Include:
- The affected app template
- A description of the vulnerability
- Steps to reproduce, if applicable
- Acknowledgment within 48 hours
- Assessment within 5 business days
- Fix within 30 days for confirmed issues
Reporters are credited in the fix commit unless they prefer to remain anonymous.