| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to the repository maintainers
- Include as much detail as possible:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Initial assessment within 7 days
- Regular updates on progress
- Credit in security advisories (if desired)
When deploying WebOS Process Manager:
- Change
JWT_SECRET: Use a strong, random secret in production - Set
CORS_ORIGINS: Restrict to your specific domains - Use HTTPS: Always use HTTPS in production
- Secure MongoDB: Enable authentication and use TLS
- Network isolation: Limit database access to application servers only
- Regular backups: Implement backup procedures
- Admin access: Only grant admin role to trusted users
- Host process termination: Disabled by default in UI for safety
- Critical process protection: System processes are protected from termination
- Strong passwords: Enforce minimum password length (6+ characters)
- Token expiration: JWT tokens expire after 24 hours by default
- Session management: Implement proper logout handling
All user inputs are validated:
- Username: 3-32 alphanumeric characters
- Password: 6-128 characters
- File names: No path traversal, reserved names blocked
- Object IDs: MongoDB format validated
- Critical PIDs (0, 1, self, parent) cannot be terminated
- Critical process names (init, systemd, etc.) are protected
- Graceful termination with SIGTERM, escalation to SIGKILL
- JWT authentication required for all endpoints (except health checks)
- Admin role required for host process termination
- Rate limiting recommended for production
- Host process monitoring: Requires appropriate system permissions
- Virtual processes: Simulated, not actual OS processes
- File system: Virtual file system stored in MongoDB
Security updates will be released as patch versions. Monitor:
- GitHub releases
- Security advisories
- CHANGELOG.md
We thank all security researchers who help improve WebOS Process Manager's security.