The RemoteCV maintainers take security vulnerabilities seriously. If you discover a security issue in RemoteCV, please report it responsibly.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report the vulnerability privately using GitHub's Private Vulnerability Reporting feature:
- Go to the repository's Security tab
- Click Report a vulnerability
- Submit the details through the GitHub Security Advisory form
Include as much information as possible to help us reproduce the issue:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- A proof of concept (PoC), if available
- Your environment (RemoteCV version, configuration, and deployment model)
We will acknowledge receipt of your report as soon as possible and work with you to understand and resolve the issue.
We ask that you follow responsible disclosure practices:
- Do not publicly disclose the vulnerability before it has been addressed.
- Allow the maintainers reasonable time to investigate and fix the issue.
- Coordinate with us before publishing advisories, blog posts, or CVEs.
Once the issue is fixed, we will publicly acknowledge your contribution unless you prefer to remain anonymous.
Security fixes are typically provided for the most recent stable versions of RemoteCV.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor versions | Best effort |
| Older versions | No |
Users are strongly encouraged to keep their RemoteCV installations up to date.
When deploying RemoteCV in production, please consider the following:
- Run workers on private networks whenever possible.
- Restrict access to Redis, SQS, and any healthcheck endpoints.
- Keep Pillow, OpenCV, and other runtime dependencies up to date.
- Protect credentials and configuration passed through environment variables.
- Limit which image sources can reach your processing pipeline.
Proper deployment and dependency hygiene help reduce the risk of abuse, unauthorized job execution, and vulnerable image-processing paths.
We appreciate the efforts of security researchers and the open-source community in responsibly reporting vulnerabilities and helping improve the security of RemoteCV.