Anchorr is developed on the main branch, and security fixes are only guaranteed for the latest release and the current main branch.
| Version | Supported |
|---|---|
| Latest release | ✅ |
main branch |
✅ |
| Older releases | ❌ |
If you are running an older version, please update before reporting a security issue unless the issue prevents safe updating.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities privately by contacting the maintainer through one of the following private channels:
- GitHub private security advisory, if enabled for this repository
- Direct message via the official Anchorr Discord server
- Email, if a maintainer email is published in the future
If no private reporting channel is available, open a minimal GitHub issue without disclosing exploitation details, only stating that you need a private contact for a security report.
Please include as much of the following as possible:
- A clear description of the vulnerability
- Affected version or commit
- Steps to reproduce
- Proof of concept, if available
- Impact assessment
- Any suggested remediation
Useful context may include whether the issue affects:
- The web dashboard
- Authentication or session handling
- Stored configuration or secrets
- Discord bot commands or permissions
- Jellyfin webhook ingestion
- Jellyseerr request handling
- Docker deployment defaults
The maintainer will try to:
- Acknowledge receipt of the report
- Confirm whether the issue is reproducible
- Assess severity and impact
- Prepare a fix
- Publish the fix and disclose the issue responsibly
Please allow reasonable time for investigation and remediation before public disclosure.
Please practice responsible disclosure.
Do not publicly share exploit details, proof of concept code, or reproduction steps until:
- A fix has been released, or
- The maintainer has confirmed that public disclosure is safe
When self-hosting Anchorr:
- Do not expose the dashboard directly to the public internet unless you fully understand the risk
- Use a reverse proxy with HTTPS if remote access is required
- Keep API keys, bot tokens, and secrets out of screenshots, logs, and public config files
- Restrict who can access the dashboard
- Keep Anchorr and all dependencies up to date
- Review Discord bot permissions and only grant what is necessary
- Avoid using overly broad role mappings or request permissions
This policy applies to vulnerabilities that could affect the confidentiality, integrity, or availability of Anchorr or user data, including but not limited to:
- Remote code execution
- Authentication bypass
- Authorization flaws
- Secret leakage
- Webhook abuse
- Injection vulnerabilities
- Dependency vulnerabilities with real impact
- Sensitive information exposure
The following are generally out of scope unless they demonstrate real security impact:
- Best-practice suggestions without an exploit path
- Denial of service requiring unrealistic conditions
- Vulnerabilities only present in unsupported versions
- Issues caused solely by insecure third-party deployment choices without an Anchorr defect
Security researchers who report valid issues responsibly may be credited in release notes or documentation, unless they prefer to remain anonymous.