| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take security seriously. If you discover a security vulnerability in Ops-Center, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email us at: security@magicunicorn.tech
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We'll acknowledge your report within 48 hours
- Assessment: We'll assess the severity and impact within 7 days
- Updates: We'll keep you informed of our progress
- Fix: We'll work on a fix and coordinate disclosure with you
- Credit: We'll credit you in the security advisory (unless you prefer anonymity)
The following are in scope:
- Ops-Center codebase
- Authentication/authorization bypasses
- Data exposure vulnerabilities
- Injection attacks (SQL, XSS, etc.)
- Privilege escalation
- Cryptographic weaknesses
Out of scope:
- Third-party dependencies (report to the respective project)
- Social engineering attacks
- Physical attacks
- Denial of service attacks
When deploying Ops-Center:
- Use strong Keycloak admin passwords
- Enable MFA for admin accounts
- Regularly rotate client secrets
- Use HTTPS in production
- Use strong, unique database passwords
- Restrict database access to application containers only
- Enable PostgreSQL SSL connections
- Regular backups with encryption
- Never commit API keys to version control
- Rotate API keys periodically
- Use environment variables for all secrets
- Set appropriate key scopes and limits
- Keep Docker and dependencies updated
- Use network isolation (Docker networks)
- Enable and review audit logs
- Configure rate limiting
Never commit these to version control:
KEYCLOAK_CLIENT_SECRETPOSTGRES_PASSWORDSTRIPE_SECRET_KEYLAGO_API_KEYLITELLM_MASTER_KEYSECRET_KEYJWT_SECRET
Use .env.auth (gitignored) or environment-specific secrets management.
Ops-Center includes:
- SSO Authentication: Keycloak with industry-standard OIDC
- Role-Based Access Control: 5-tier permission hierarchy
- Audit Logging: Complete activity tracking
- API Key Hashing: bcrypt for secure storage
- Input Validation: Pydantic models throughout
- SQL Injection Protection: Parameterized queries via asyncpg
- XSS Protection: React's built-in escaping
- HTTPS/TLS: Via Traefik reverse proxy
- PCI Compliance: Stripe handles all card data
We thank the following for responsibly disclosing vulnerabilities:
No vulnerabilities reported yet.
Thank you for helping keep Ops-Center secure!