Skip to content

Security: Milvasoft/milvaion

Security

SECURITY.md

Security Policy

Supported Versions

The following versions of Milvaion are currently being supported with security updates:

Version Supported
1.0.x
< 1.0

Reporting a Vulnerability

We take the security of Milvaion seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Where to Report

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to [email protected].

Include the following information in your report:

  • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it

What to Expect

You should receive a response within 96 hours acknowledging your report. We will keep you informed about the progress towards a fix and announcement.

After the initial reply to your report, our security team will:

  1. Confirm the vulnerability and determine its severity
  2. Develop a fix for all supported versions
  3. Prepare a security advisory for publication
  4. Release patched versions as soon as possible
  5. Publicly disclose the vulnerability after patches are available

Responsible Disclosure

We kindly ask you to:

  • Give us reasonable time to fix the issue before public disclosure
  • Avoid exploiting the vulnerability
  • Demonstrate good faith by not accessing or modifying other users' data
  • Not perform actions that could negatively affect Milvaion users or infrastructure

Bug Bounty Program

At this time, Milvaion does not have a paid bug bounty program. However, we deeply appreciate security researchers who responsibly disclose vulnerabilities and will publicly acknowledge contributors (with their permission) in:

  • Security advisories
  • Release notes
  • CONTRIBUTORS.md file

Security Best Practices for Users

Production Deployments

When deploying Milvaion to production, follow these security best practices:

1. Authentication & Authorization

  • Never use default credentials - Change the root password immediately
  • Use strong passwords - Minimum 12 characters with complexity requirements
  • Enable JWT token validation - Set ValidateIssuer and ValidateAudience to true
  • Use short token expiration - Set ExpirationMinute to 15-30 minutes in production
  • Rotate JWT secrets regularly - Use environment variables, never commit secrets
# Generate a secure JWT secret
openssl rand -hex 32

2. Network Security

  • Use HTTPS - Always enable TLS in production with valid certificates
  • Enable CORS properly - Restrict origins to trusted domains only
  • Use private networks - Keep Redis and RabbitMQ on internal networks
  • Configure firewall rules - Allow only necessary ports

Recommended port access:

Service Port Access
API 443 Public
PostgreSQL 5432 Internal
Redis 6379 Internal
RabbitMQ 5672 Internal
RabbitMQ Management 15672 Admin VPN only

3. Database Security

  • Use strong passwords - For PostgreSQL user accounts
  • Enable SSL/TLS - For database connections
  • Restrict network access - Use PostgreSQL pg_hba.conf to limit connections
  • Regular backups - Encrypt backup files
  • Connection pooling - Use connection limits to prevent exhaustion

Example connection string with SSL:

Host=postgres.example.com;Port=5432;Database=MilvaionDb;Username=milvaion;Password=***;SSL Mode=Require;Trust Server Certificate=false

4. Redis Security

  • Set a strong password - Use requirepass in redis.conf
  • Disable dangerous commands - Rename FLUSHDB, FLUSHALL, CONFIG, SHUTDOWN
  • Bind to specific interfaces - Don't expose to public internet
  • Use TLS encryption - For Redis 6.0+
# In redis.conf
requirepass your_strong_password_here
rename-command CONFIG ""
rename-command FLUSHDB ""
rename-command FLUSHALL ""
bind 127.0.0.1 ::1

5. RabbitMQ Security

  • Change default credentials - Never use guest/guest in production
  • Use TLS - Enable SSL/TLS for AMQP connections
  • Create dedicated users - Separate users for API and Workers with minimal permissions
  • Enable access control - Configure vhost permissions properly
  • Limit management UI access - Use VPN or IP whitelist
# Create users with limited permissions
rabbitmqctl add_user milvaion_api secure_password_1
rabbitmqctl add_user milvaion_worker secure_password_2
rabbitmqctl set_permissions -p / milvaion_api ".*" ".*" ".*"
rabbitmqctl set_permissions -p / milvaion_worker ".*" ".*" ".*"

6. Container Security

  • Use non-root users - Run containers as non-privileged users
  • Keep images updated - Regularly update base images
  • Scan for vulnerabilities - Use tools like Trivy or Snyk
  • Use read-only file systems - Where possible
  • Limit resource usage - Set memory and CPU limits
# Docker Compose example
services:
  milvaion-api:
    image: milvasoft/milvaion-api:latest
    user: "1000:1000"
    read_only: true
    security_opt:
      - no-new-privileges:true
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 2G

7. Secrets Management

Never hardcode secrets in configuration files. Use one of these approaches:

Option 1: Environment Variables

export ConnectionStrings__DefaultConnectionString="Host=..."
export MilvaionConfig__Redis__Password="..."
export Milvasoft__Identity__Token__SymmetricPublicKey="..."

Option 2: Docker Secrets (Docker Swarm)

secrets:
  db_password:
    external: true
  jwt_key:
    external: true

Option 3: Kubernetes Secrets

apiVersion: v1
kind: Secret
metadata:
  name: milvaion-secrets
type: Opaque
data:
  db-password: <base64-encoded>
  jwt-key: <base64-encoded>

Option 4: Azure Key Vault / AWS Secrets Manager

8. Monitoring & Logging

  • Enable audit logging - Log all authentication attempts
  • Monitor failed login attempts - Set up alerts for suspicious activity
  • Send logs to SIEM - Centralized security monitoring
  • Redact sensitive data - Don't log passwords, tokens, or PII
  • Set up alerts - For security events

Example: Configure Seq with retention and access control

9. Worker Security

  • Isolate workers - Run workers in separate networks/containers
  • Validate job data - Never trust job payloads
  • Limit external access - Workers should not be directly accessible
  • Use timeouts - Prevent infinite loops or DoS
  • Sandbox execution - Consider containerizing individual job execution

10. API Security

  • Rate limiting - Prevent brute force and DoS attacks
  • Input validation - Validate all user inputs
  • Output encoding - Prevent XSS attacks
  • CSRF protection - Use anti-forgery tokens
  • Security headers - Set proper HTTP security headers
// Example security headers in ASP.NET Core
app.Use(async (context, next) =>
{
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("X-Frame-Options", "DENY");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    context.Response.Headers.Add("Referrer-Policy", "no-referrer");
    context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'");
    await next();
});

Security Advisories

Security advisories will be published on:

Security Updates

To stay informed about security updates:

  1. Watch the repository - Enable "Releases only" or "All activity"
  2. Subscribe to notifications - GitHub will email you about security advisories
  3. Check regularly - Review the CHANGELOG.md for security fixes
  4. Keep updated - Always run the latest supported version

Compliance

Milvaion is designed to help you meet compliance requirements, but proper configuration is your responsibility:

  • GDPR - Implement proper data retention and deletion policies
  • HIPAA - Encrypt data at rest and in transit, implement access controls
  • SOC 2 - Enable comprehensive logging and monitoring
  • PCI DSS - Follow security best practices for payment-related jobs

Third-Party Dependencies

We regularly update dependencies to address security vulnerabilities. You can review our dependencies in:

  • Backend: src/*/Directory.Packages.props
  • Frontend: src/MilvaionUI/package.json

We use automated tools (Dependabot) to detect vulnerable dependencies.

Security Hardening Checklist

Before going to production, verify:

  • Changed all default passwords
  • Generated and configured strong JWT secret
  • Enabled HTTPS with valid certificate
  • Configured CORS for specific origins
  • Database connections use SSL/TLS
  • Redis requires password authentication
  • RabbitMQ uses non-default credentials
  • Secrets stored in secure vault (not in code)
  • Containers run as non-root users
  • Security headers configured
  • Rate limiting enabled
  • Logging configured with sensitive data redaction
  • Monitoring and alerting set up
  • Backup strategy implemented
  • Disaster recovery plan documented

Contact

For security concerns, contact us at:

Thank you for helping keep Milvaion and our users safe!

There aren't any published security advisories