If you discover a security vulnerability in Open Brain, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

1. Email: Contact Scott Nichols via LinkedIn
2. GitHub: Use GitHub Security Advisories to report privately

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Assessment: Within 1 week
• Fix: Depending on severity, typically within 2 weeks for critical issues

• Rotate MCP_ACCESS_KEY regularly — Generate with openssl rand -hex 32
• Never expose port 8080 to the public internet without TLS — Use a reverse proxy (nginx, Tailscale Funnel, etc.)
• Use Kubernetes Secrets or a secret manager for DB_PASSWORD and MCP_ACCESS_KEY
• Keep dependencies updated — Dependabot is configured on this repo
• Run as non-root in Docker (default since v1.1)
• Network isolation — PostgreSQL should not be reachable from the public internet