We take the security of Sico seriously. Thank you for helping keep the project and its users safe.
Sico is pre-1.0 and under active development. Security fixes are applied to
the main branch. When a stable release line exists, this section will be
updated to list supported versions.
Please do not file public GitHub issues for security vulnerabilities.
Instead, report privately via GitHub's private vulnerability reporting on this repository.
Please include:
- A description of the issue and its potential impact.
- Steps to reproduce, or a proof-of-concept.
- Any suggested mitigations.
We will acknowledge your report, investigate, and keep you informed of progress. We aim to provide an initial response within a few business days.
We practice coordinated disclosure. After a fix is available, we will publish a security advisory crediting the reporter (unless anonymity is requested).
The following are in scope for security reports:
- Authentication and authorization flaws (JWT, RBAC, HMAC sandbox auth).
- Injection vulnerabilities (SQL, command, prompt injection with real impact).
- Sensitive-data exposure in logs, API responses, or storage.
- Remote code execution or container escape in sandbox components.
- Denial-of-service with a low-cost trigger.
The following are out of scope:
- Vulnerabilities in third-party services Sico integrates with (report those to the upstream maintainers).
- Reports that require physical access to a developer machine.
- Missing security headers with no demonstrated impact.
- Findings from automated scanners without a working proof-of-concept.
If you deploy Sico, please also follow standard operator hygiene:
- Rotate all secrets from
.env.examplebefore exposing the service. - Use TLS in front of Nginx.
- Restrict network access to MySQL, Redis, SeaweedFS, and Kafka to the internal network.
- Keep container images and OS packages up to date.
- Review docs/technical_report.md and docs/quickstart.md before going to production.