Security Policy

Reporting a vulnerability

What to include in your report

• Description of the vulnerability and its potential impact
• Repod version affected (Community or Enterprise, version number)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept code or screenshots if applicable
• Any suggested remediation or patch

Response timeline

Scope

The following are in scope for responsible disclosure:

• Repod Community Edition — github.com/getautoflow/repod
• Repod Enterprise Edition
• The Repod REST API
• The Repod web dashboard (frontend)
• The repod.getautoflow.dev marketing website

The following are out of scope:

• Vulnerabilities in packages hosted inside a Repod instance (report to the upstream maintainer)
• Vulnerabilities in third-party dependencies (report to the respective project)
• Social engineering attacks
• Physical attacks against infrastructure

Coordinated disclosure

We follow a coordinated disclosure model. We ask that you give us a reasonable amount of time to address the issue before any public disclosure. We will work with you to determine an appropriate disclosure timeline and will credit you in the security advisory (unless you prefer to remain anonymous).

Security design principles

Repod is designed with security as a first-class concern:

• All data stays within your infrastructure — Repod is fully self-hosted with no cloud dependency
• Zero telemetry — no usage data, crash reports, or package metadata is transmitted externally
• Authentication required on every API endpoint — no unauthenticated routes except health probes
• All secrets loaded from environment variables — no hardcoded credentials in the codebase
• Packages are ClamAV-scanned and Grype-analysed before entering the repository
• GPG signing ensures end-to-end integrity from upload to client installation