We actively support security and operational updates for the latest stable and pre-release versions in the current major series.
| Version | Supported |
|---|---|
| 3.10.x stable (current: 3.10.2) and newer | ✅ |
3.10.x pre-releases / betas (e.g. 3.10.1.b2) while testing |
✅ (lab/test only) |
| 3.9.x | ✅ (security fixes as feasible; prefer upgrade to 3.10.2+) |
| 3.0 – 3.8.x | Limited — upgrade when you can |
| < 3.0 | ❌ (end of life) |
We recommend running the latest stable GitHub Release (v3.10.2 as of this policy refresh). Use pre-release tags only on lab/test systems unless you have a deliberate beta rollout. Patch releases within a minor series receive priority security backports where feasible.
The safety of users' Puppet/OpenVox infrastructure is paramount. We appreciate responsible disclosure.
- Navigate to the repository's Security Advisories page.
- Click "Report a vulnerability".
- Provide a detailed report including:
- Affected version(s) and component (backend, ovox CLI, frontend, installer, etc.).
- Steps to reproduce.
- Potential impact (e.g., information disclosure, privilege escalation, symlink attacks).
- Suggested fix or mitigation if known.
This uses GitHub's private vulnerability reporting system, creating a temporary private fork for discussion between the reporter and maintainers.
For very sensitive reports or if the GitHub form is unavailable:
- Email: questy@gmail.com
- Include "SECURITY" in the subject.
- We will respond within 48 hours (business days).
Do not disclose vulnerabilities publicly (e.g., via GitHub issues, social media, or blog posts) until we have had a chance to investigate, patch, and coordinate a release. We follow a standard coordinated disclosure timeline (typically 90 days or less for critical issues, adjusted for severity and complexity).
- Acknowledgment: Within 1-2 business days.
- Initial Assessment: We will confirm validity, severity (using CVSS where applicable), and affected components.
- Fix Development: We prioritize security fixes. For dependency issues (e.g. pydantic ecosystem), we update pins and test compatibility.
- Release: A patch release (or pre-release tag) will be issued. The advisory will be published on GitHub once the fix is available in a tagged release.
- Credit: Reporters are credited in the advisory and CHANGELOG unless they request anonymity.
- Dependencies: We use Dependabot for automated alerts on direct dependencies. Critical security updates (e.g., GHSA advisories) are reviewed and merged promptly.
- Example:
pydantic-settings2.14.1 → 2.14.2 (this release) fixes GHSA-4xgf-cpjx-pc3j.- Details: The
NestedSecretsSettingsSource(activated viasecrets_nested_subdir=Trueor related configuration in pydantic-settings) could follow symbolic links outside the configuredsecrets_dir. This allowed reading files outside the intended directory tree and potentially bypassedsecrets_dir_max_sizelimits. Affected: pydantic-settings >=2.12.0 and <2.14.2. - Why it matters here: The main
Settingsclass (backend/app/config.py) inherits frompydantic_settings.BaseSettingsand loads fromenv_file. While we do not currently enablesecrets_dir/ nested secrets in production config paths, transitive use, future features, or user extensions could trigger the vulnerable code path. Updating eliminates the risk proactively. - Operational note: This is both a security and operational update—keeping the pydantic ecosystem current ensures compatibility with FastAPI, type validation, and settings sources used across models, routers, and CLI config.
- Details: The
- Example:
- Code Audits: Historical internal security audits are documented in
docs/audits/. All high/critical findings from prior audits have been addressed (e.g., explicit role-based auth on privileged actions). - Ongoing: We monitor for issues in:
- Core: FastAPI, Uvicorn, Pydantic (core + settings), SQLAlchemy, Cryptography, PyJWT, etc.
- CLI (ovox): Typer, Pydantic, Rich, HTTPX.
- Frontend: Vite, React ecosystem (npm audit).
- System: Installer scripts, sudoers rules, service units.
- Pins in
backend/requirements.txtandovox/pyproject.tomlare the source of truth. The installer and packaging use these.
- Run behind a reverse proxy with TLS (see
docs/INSTALLER.md, nginx/Apache configs). - Use strong, unique values for
OPENVOX_GUI_SECRET_KEY, admin passwords, anddeploy_webhook_secret. - Restrict network access to the service port (default 4567) and Puppet ports.
- Regularly run
sudo ./scripts/update_remote.sh --yes(or equivalent) after reviewing release notes. - For air-gapped or high-security environments: review vendored packages and consider vendoring the entire venv.
- Avoid running with
AUTH_BACKEND=nonein production (the app emits warnings and refuses in non-debug mode). - Keep the underlying OS, Python, and system packages updated.
This policy covers the openvox-gui repository, including:
- Backend (FastAPI app, config loading via pydantic-settings)
- ovox CLI and TUI
- Installer and update scripts (
install.sh,update_*.sh, etc.) - Frontend build and assets
- Supporting configs (systemd, Apache/nginx, sudoers)
It does not cover:
- Third-party Puppet/OpenVox modules or control repos you manage with the tool.
- The underlying Puppet Server, PuppetDB, or r10k (report those to their respective projects or Vox Pupuli).
Open a non-security GitHub issue or discussion, or contact the maintainer.
Thank you for helping keep OpenVox GUI and the broader infrastructure management ecosystem secure.
Last updated: 2026-06-22 (in conjunction with pydantic-settings security patch and SECURITY.md addition). See CHANGELOG.md for related dependency and hardening history.