Skip to content

Security: chodeus/daps

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
2.x
< 2.0

Reporting a Vulnerability

If you discover a security vulnerability in DAPS, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use one of the following methods:

  1. GitHub Security Advisories (preferred): Use the private vulnerability reporting feature to submit a report directly through GitHub.
  2. Email: Contact the maintainer directly via their GitHub profile.

What to include in your report

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Affected version(s)
  • Any suggested fix or mitigation (if applicable)

Response timeline

  • Acknowledgement: Within 48 hours of receiving the report
  • Initial assessment: Within 1 week
  • Fix or mitigation: Depends on severity, but critical issues will be prioritized

Severity classification

Severity Description Target fix time
Critical Remote code execution, authentication bypass, data exfiltration 48 hours
High Privilege escalation, injection vulnerabilities, path traversal 1 week
Medium Information disclosure, denial of service 2 weeks
Low Minor issues, hardening improvements Next release

Security considerations

DAPS is designed as a self-hosted, single-user application intended to run on a private network (e.g., behind a reverse proxy or VPN). It is not designed for public internet exposure without additional hardening.

Current security posture

  • Authentication: No built-in authentication. Rely on network isolation or a reverse proxy with auth (e.g., Authelia, Authentik, Nginx basic auth).
  • HTTPS: Not handled by DAPS. Use a reverse proxy (Caddy, Nginx, Traefik) for TLS termination.
  • API access: All API endpoints are unauthenticated. Restrict access via network controls.
  • Secrets storage: API keys and tokens are stored in config.yml in plaintext. Protect this file with appropriate filesystem permissions (chmod 600).
  • Docker: Runs as a non-root user (dockeruser) with configurable PUID/PGID.

Recommendations for deployment

  1. Never expose DAPS directly to the internet without a reverse proxy and authentication layer
  2. Protect your config.yml file (contains API keys for Plex, Radarr, Sonarr, Google Drive)
  3. Use Docker with restricted networking (--network=internal or equivalent)
  4. Keep DAPS and its dependencies updated via Dependabot PRs
  5. Review CodeQL scan results in the Security tab regularly

Dependency management

  • Dependabot monitors Python (pip), JavaScript (npm), and GitHub Actions dependencies weekly
  • CodeQL runs on every push and weekly for Python and JavaScript security analysis
  • Ruff linter checks for common Python security patterns

There aren’t any published security advisories