Security Policy¶
Supported versions¶
| Version | Supported |
|---|---|
| 1.x.x | Yes |
| < 1.0 | No |
Reporting a vulnerability¶
We take security seriously. If you discover a security vulnerability, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
How to report¶
- Email: Send details to security@krakenchat.app
- GitHub Security Advisories: Use GitHub's private vulnerability reporting
What to include¶
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (optional)
What to expect¶
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution timeline: Depends on severity, typically 30–90 days
Scope¶
In scope¶
- Kraken backend API
- Kraken frontend application
- Electron desktop application
- Docker images and Helm charts
- Authentication and authorization flaws
- Data exposure vulnerabilities
Out of scope¶
- Self-hosted instances with modified code
- Third-party dependencies (report to upstream maintainers)
- Social engineering attacks
- Physical security
Self-hosting security best practices¶
If you're self-hosting Kraken:
- Change all default secrets in your
.envand Helm values - Use HTTPS with valid TLS certificates
- Keep dependencies updated — watch for Dependabot alerts
- Restrict network access to your MongoDB and Redis instances
- Enable authentication on all database connections
- Regularly backup your data
- Monitor logs for suspicious activity
Acknowledgments¶
We appreciate security researchers who help keep Kraken safe. Contributors who responsibly disclose vulnerabilities will be acknowledged here (with permission).