If you discover a security vulnerability in OpenOMS, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email: security@openoms.org

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix and disclosure: We aim to release a fix within 30 days of confirmation

• Always use TLS termination (nginx, Caddy, Traefik, or ingress-nginx)
• Set strong values for JWT_SECRET (64+ characters) and ENCRYPTION_KEY (64 hex chars)
• Never expose PostgreSQL or Redis ports publicly
• Use the provided Docker images with non-root users
• Rotate secrets periodically
• Keep dependencies updated (task lint includes security scanning)