Linuxserver takes the security of our software products seriously, including all the open source code repositories managed through platforms such as GitHub.

Please be aware that we cannot take responsibility for vulnerabilities found in upstream software packages or libraries, and you should report such issues to the appropriate maintainers. Where no upstream resolution is possible or available, and a vulnerability has a material effect on one of our products, we will make reasonable efforts to apply any necessary mitigations or workarounds.

If you believe you have found a security vulnerability in any Linuxserver-owned repository, please report it to us through coordinated disclosure.

Please do not report security vulnerabilities through public GitHub issues, discussions, pull requests, or conversation on our Discord or Discourse platforms.

Instead, please email security[@]linuxserver.io, with a subject line that includes [security]. If your email subject is not properly formed, it will not be processed.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

• The type of issue (e.g., buffer overflow, container escape, or privilege escalation)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue
• Any additional relevant information

This information will help us triage your report more quickly.

To encourage research and coordinated disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorised” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as the Computer Misuse Act. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this security reporting policy's scope.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorise security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this security reporting policy permits.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!