Security practices, policies, and resources across all Sonicverse open-source projects.Documentation Index
Fetch the complete documentation index at: https://docs.sonicverse.eu/llms.txt
Use this file to discover all available pages before exploring further.
Report a vulnerability
If you’ve found a security issue in any Sonicverse project, report it privately. Do not open a public GitHub issue.Web form
Submit through the Sonicverse security page.
Send details to security@sonicverse.eu.
GitHub
Use GitHub private vulnerability reporting.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Affected project, version, or commit (if known)
- Any suggested fix or mitigation
Project security resources
Audio Streaming Stack — security policy
Vulnerability scope, container hardening, automated code review, and secret scanning for the streaming stack.
Audio Streaming Stack — advisories
Published CVEs and advisories with severity ratings, affected versions, and remediation steps.
Firewall configuration
Required ports, automated UFW setup, and studio IP restriction for the streaming stack.
Configuration reference
Environment variables for SSL, authentication, CORS, and access controls.
Organization-wide security practices
Responsible disclosure
All Sonicverse repositories follow coordinated disclosure. You receive acknowledgment within 3 business days and triage within 7 days. Critical vulnerabilities are patched within 14 days. Advisories are published on GitHub after a fix is available.Container hardening
All Docker-based Sonicverse projects run service containers as non-root users (UID 1000) by default. This limits the blast radius of a container escape by ensuring processes do not have root privileges on the host.SSL/TLS encryption
Sonicverse projects that expose public endpoints use Let’s Encrypt certificates with automatic provisioning and renewal. All public traffic is served over HTTPS.Network isolation
Public-facing services are limited to reverse proxies (Nginx). Internal components communicate over private Docker networks and are not directly accessible from the internet.Authentication and access control
Team-based authentication
Sonicverse projects use Appwrite for team-based authentication where applicable. Only members of your configured team can access protected interfaces.Role-based access
Write operations are restricted to specific team roles (default:owner,admin). Read-only access is available to all authenticated team members.
CORS policies
Cross-origin requests are restricted to explicitly configured origins. Set the appropriate CORS variable for each project to match your deployment domain.Automated security tooling
Code review
CodeRabbit automatically reviews pull requests targetingmain across Sonicverse repositories. The review uses per-path instructions for Python, TypeScript, Dockerfiles, shell scripts, and CI workflows.
Secret scanning
Sonicverse repositories use TruffleHog to detect accidentally committed secrets. Run it locally against any Sonicverse project:Auto-generated secrets
Installers auto-generate secure passwords and tokens during setup. You never need to create service credentials manually.Security checklist
Use this checklist when deploying any Sonicverse project to production:Run the firewall script
Lock down ports to only those required by the project. Restrict management ports to trusted IPs where possible.
Disable risky features
Keep remote management commands disabled unless you have a specific need and a trusted network.