VibeSwarm exposes developer workspaces that run untrusted code. We take reports seriously.
Please do not open a public issue for security problems. Instead, report privately via GitHub Security Advisories ("Report a vulnerability" on the Security tab) or email contact@dislace.com.
Include: what you found, how to reproduce it, and the impact. We aim to acknowledge within 72 hours and to coordinate a fix and disclosure timeline with you.
In scope: identity/routing bypass, tenant isolation escape, token leakage, proxy misconfiguration, container hardening gaps.
Out of scope (documented limitations — see THREAT-MODEL.md): open tenant egress, shared-kernel container boundary, broad T3 token scope in v1.
- Enable Cloudflare Access on the hostname with a strict allow-policy.
- Keep the origin reachable only via the tunnel (no published ports).
- Run
vswarm doctorafter every change; treat anyFAILas blocking. - Enable JWT verification (
templates/njs/access-jwt.js) for production. - Run on a dedicated host; consider Docker
userns-remap.