Relier is pre-1.0. Security fixes are released against the latest
0.MINOR.x line; older minor versions do not receive backports.
| Version | Supported |
|---|---|
0.1.x |
✅ |
< 0.1 |
❌ |
Once 1.0.0 ships, this table will be updated to reflect a longer
support window for the most recent 1.x line.
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting:
- Open https://github.com/getrelier/relier/security/advisories/new.
- Provide a description, reproduction steps, and an assessment of impact (data loss, privilege escalation, denial of service, etc.).
- If your report includes proof-of-concept code, attach it as a file rather than pasting into the description.
If GitHub private reporting is unavailable to you, email
fajimikolade23@gmail.com with [relier-security] in the subject
line. Include the same information as above.
- Acknowledgement within 3 business days.
- Triage within 7 business days we will tell you whether the report is accepted as a security issue or reclassified as a regular bug, and what the planned timeline is.
- Coordinated disclosure we will agree on a disclosure date with you. The default window is 90 days from acknowledgement, but high-severity issues may warrant faster disclosure and low-severity issues may be bundled with the next scheduled release.
- Credit we will credit you in the release notes and the GitHub Security Advisory unless you ask otherwise.
In scope:
- The
relierPython package (src/relier/). - The bundled OpenTelemetry / Prometheus / Grafana configurations
under
scripts/. - The Docker manifests (
Dockerfile,Dockerfile.bench,docker-compose*.yml). - The Lua scripts under
src/relier/storage/lua/.
Out of scope:
- Vulnerabilities in upstream dependencies (Celery, Redis, Kombu,
pydantic, OpenTelemetry SDKs). Report those to their upstream maintainers; we will follow up with a Relier-side mitigation once the upstream fix is published. - Misconfiguration in your own deployment (e.g. exposing Redis on a public network with no auth). The Configuration and Deployment docs describe the secure defaults.
These are deliberate trade-offs, not vulnerabilities:
SECRET_KEYdefault is"change-in-production". Relier surfaces this inSettings; production deploys must overrideRELIER_SECRET_KEY.- Bench / dev Grafana anonymous viewer is enabled by default. The
production compose manifest (
docker-compose.prod.yml) disables it and requiresGRAFANA_ADMIN_PASSWORD. - Task payloads in Redis are not encrypted at rest. Run Redis with
TLS (
rediss://) for in-flight encryption and rely on disk-level encryption for at-rest. The schema envelope includes an HMAC but is not a confidentiality boundary.