Medusa is an orchestrator. It does not implement security primitives itself — it wraps Docker Compose stacks, CLI installers, and a few helper functions around 35 upstream open-source security tools.

That means there are two distinct disclosure paths:

Examples of what's in scope for this project:

• Command injection or unsafe eval / unquoted expansion in medusa.sh, lib/*.sh
• A generated docker-compose.yml that exposes a service on 0.0.0.0 when it should be 127.0.0.1, or sets a weak default password
• A credentials.txt written without chmod 600
• Path traversal in the ENV_NAME handling
• Curl-based installers that don't verify the source

Examples of what's out of scope:

• A CVE in Wazuh, MISP, OpenCTI, etc. — open an issue with the upstream
• "Falco runs as privileged" — that is by design and documented in the compose file, file an issue if you want to discuss the trade-off
• Vault is in dev mode by default — also intentional and warned about in the deploy output and the README

Do not open a public GitHub issue for security reports.

Use GitHub Security Advisories instead — it lets us discuss privately, prepare a fix, and coordinate disclosure:

→ Report a vulnerability

If you cannot use Security Advisories, contact the maintainer through the email listed on their GitHub profile.

• A description of the vulnerability and its impact
• Steps to reproduce (ideally a minimal ./medusa.sh ... invocation or a diff)
• The Medusa version / commit hash
• Your suggested fix, if you have one

This is a personal open-source project, so response times are best-effort. Expect an acknowledgement within a few days, and a proposed fix or disclosure timeline within a couple of weeks for confirmed issues.

Only the main branch and the latest tagged release receive fixes. There is no LTS branch.