We provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version of Torrent VPN Stack for the best security and features.
We take security vulnerabilities seriously. If you discover a security issue, please follow responsible disclosure practices:
-
Do NOT open a public GitHub issue for security vulnerabilities
-
Instead, report privately using one of these methods:
Option A: GitHub Security Advisories (Preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
Option B: Email
- Send an email to the project maintainers (check GitHub profile for contact)
- Use PGP encryption if possible (public key in maintainer's profile)
Provide as much information as possible:
- Description: Clear explanation of the vulnerability
- Impact: What an attacker could do with this vulnerability
- Steps to reproduce: Detailed steps to trigger the vulnerability
- Affected versions: Which versions are vulnerable
- Suggested fix: If you have ideas for fixing it
- Proof of concept: Code or screenshots (if applicable)
Example:
## Vulnerability: Exposed API Credentials in Logs
**Impact:** HIGH - API credentials are logged in plaintext
**Affected Versions:** All versions prior to v1.2.0
**Steps to Reproduce:**
1. Start stack with DEBUG logging enabled
2. Check `docker logs gluetun`
3. API credentials are visible in logs
**Suggested Fix:**
Sanitize sensitive environment variables before logging.- Initial response: Within 48 hours
- Acknowledgment: Within 5 business days
- Status updates: Every 7 days until resolved
- Fix timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: 60 days
- We will work with you to understand and address the vulnerability
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We ask for 90 days from initial report before public disclosure
- We will coordinate with you on the disclosure timeline
Don't:
- ❌ Commit
.envfile to version control - ❌ Share your
.envfile publicly - ❌ Store credentials in plaintext outside of
.env
Do:
- ✅ Keep
.envfile secure with proper permissions:chmod 600 .env
- ✅ Use environment-specific
.envfiles (don't reuse production credentials in dev) - ✅ Rotate VPN credentials periodically
# Update to latest version
cd ~/torrent-vpn-stack
git pull origin main
# Update Docker images
docker compose pull
# Restart stack
docker compose down
docker compose up -dEnsure only necessary ports are exposed:
- qBittorrent WebUI: Port 8080 (restrict to local network)
- Grafana: Port 3000 (optional, restrict if needed)
- Prometheus: Port 9090 (optional, local only)
Example (Ubuntu/Debian with UFW):
# Allow qBittorrent only from local network
sudo ufw allow from 192.168.1.0/24 to any port 8080
# Deny external access
sudo ufw deny 8080/tcpChange the default password in .env:
QBITTORRENT_USER=admin
QBITTORRENT_PASS=your_strong_password_here # Change this!Only use port forwarding from trusted VPN providers:
- ✅ Mullvad, ProtonVPN, PIA
- ❌ Free VPNs or unknown providers
Port forwarding is handled inside the VPN tunnel, not exposed to the internet directly.
# Check for failed login attempts
docker logs qbittorrent | grep -i "failed\|unauthorized"
# Monitor VPN connection
docker logs gluetun | grep -i "error\|disconnect"Use encrypted backups and store them securely:
# Create backup
./scripts/backup.sh
# Encrypt backup (optional)
gpg --encrypt --recipient your-email@example.com backup.tar.gzGluetun provides a network kill switch:
- If VPN disconnects, all traffic stops
- qBittorrent cannot leak your real IP
Verify kill switch is working:
./scripts/verify-vpn.shGluetun handles DNS to prevent leaks:
- DNS requests go through VPN tunnel
- No local DNS resolution
Test for DNS leaks:
docker exec gluetun wget -qO- https://www.dnsleaktest.comDocker provides process isolation:
- qBittorrent runs in isolated container
- Uses Gluetun's network namespace
- No direct internet access
Downloaded files inherit user permissions:
- Set
PUIDandPGIDin.envto match your user - Prevents permission issues and unauthorized access
qBittorrent WebUI security:
- Authentication: Always enabled
- Network restriction: Configured via
LOCAL_SUBNET - HTTPS: Not enabled by default (consider using reverse proxy)
Recommendation: Use a reverse proxy (nginx, Traefik) with SSL/TLS for remote access.
Ubuntu/Debian (AppArmor):
# Check AppArmor status
sudo aa-status
# Docker uses AppArmor profiles by default
docker info | grep -i securityFedora/RHEL (SELinux):
# Check SELinux status
sestatus
# Ensure Docker is using SELinux
docker info | grep -i securityFor production setups, consider Docker Swarm with secrets:
# Create secret
echo "your_vpn_password" | docker secret create vpn_password -
# Reference in docker-compose.yml
secrets:
vpn_password:
external: trueIsolate torrent stack on separate VLAN or subnet:
- Reduces attack surface
- Limits lateral movement if compromised
This project is a tool for legal torrenting only:
- ✅ Legal: Open source software, public domain content, authorized distributions
- ❌ Illegal: Copyrighted material without permission
Disclaimer: Users are responsible for their own use. This project does not endorse or encourage copyright infringement.
VPN usage may be subject to local laws:
- Check your jurisdiction's regulations
- Choose VPN providers with strong privacy policies
- Prefer providers in privacy-friendly jurisdictions (e.g., Mullvad in Sweden)
No formal security audits have been conducted yet. If you're interested in sponsoring or conducting an audit, please contact the maintainers.
None reported yet.
For security concerns:
- Private reports: Use GitHub Security Advisories
- General questions: Open a GitHub Discussion
We thank the following individuals for responsibly disclosing vulnerabilities:
(No vulnerabilities reported yet)
If you report a vulnerability, you will be acknowledged here (unless you prefer anonymity).