Please do not report security vulnerabilities through public GitHub issues.
Instead, report them privately using GitHub Security Advisories. We will acknowledge your report, investigate, and keep you updated on the fix.
When reporting, please include:
- A description of the vulnerability and its impact
- Steps to reproduce (proof-of-concept if possible)
- Affected version/commit and environment
This project is under active development. Security fixes are applied to the
latest master.
Orch is configured entirely through environment variables and secret stores — never hard-code credentials.
.envis gitignored; commit only.env.examplewith placeholder values.JWT_SECRETand any API tokens must be supplied at deploy time, not committed.- If a secret is ever committed, rotate it immediately — rewriting Git history does not guarantee the old value is unreachable on remote hosts or in clones.