Please DO NOT create a public GitHub issue for security vulnerabilities.
If you discover a security issue, please report it privately to the maintainers.
- Preferred: Use GitHub's private vulnerability reporting feature for this repository if it is enabled.
- Fallback: Contact the repository owner privately via GitHub: https://github.com/code-sport
- Include
SECURITYin the subject or opening line so the report can be triaged quickly. - Details to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
- Whether you'd like credit in the security advisory
If private vulnerability reporting is not available in the repository UI, use the fallback path above instead of opening a public issue.
Maintainers will:
- Acknowledge receipt within 48 hours
- Investigate and assess the severity
- Work on a fix
- Coordinate disclosure timeline
- Please allow maintainers reasonable time to investigate and remediate before public disclosure.
- After a fix is available, maintainers may publish a changelog entry and, where appropriate, a GitHub security advisory.
- If a reported issue turns out not to be a vulnerability, maintainers may continue the discussion as a normal bug report.
When using Claude Local Stack:
- Run behind a firewall if exposed to external networks
- Use authentication (Open WebUI has built-in user management)
- Do not expose ports directly to the internet without a reverse proxy
- Never commit
.envfiles with real values - Use
.env.exampletemplate for sharing - Rotate API keys regularly
- Use Docker secrets for production deployments
- Keep Docker images updated
- Run containers with minimal privileges
- Use read-only filesystems where possible
- Scan images for vulnerabilities:
docker scan ollama/ollama
- Dependencies are monitored by Dependabot
- Review security updates in PRs
- Test updates before deploying to production
| Version | Supported | Note |
|---|---|---|
| Latest | β Yes | Actively maintained |
| Previous | Bug fixes only | |
| Older | β No | Use at own risk |
- Local Models: Open WebUI stores conversations locally by default
- Network: Services communicate via internal Docker network (secure)
- GPU: NVIDIA GPU access requires host permissions
- Logs: Ensure logs don't contain sensitive information
- Frequency: Checked on each commit (Dependabot)
- Policy: Security fixes have priority
- Notification: GitHub security advisories and PRs
- π Configuration Guidance
- π Report Vulnerability
- π GitHub Issues (non-security only)
- π€ Support Guide