We take security seriously. Panelica protects production infrastructure for hosting providers, agencies and end customers — a single vulnerability can affect a lot of real systems. If you find something, we want to hear about it, and we'll work with you to get it fixed.
| Version branch | Status |
|---|---|
| Latest stable (released within the last 60 days) | Receives security patches |
| Older releases | Best-effort — please upgrade to the latest stable |
| Beta / pre-release builds | Investigated, but expect rapid iteration |
The current stable version is shown in the panel footer and at https://panelica.com/changelog.
Do not open a public GitHub issue, discussion, or forum post for security findings.
Email: security@panelica.com
Please include:
- A clear description of the issue
- The affected component (panel UI, REST API, an internal service, etc.)
- Steps to reproduce — minimal proof-of-concept is ideal
- Impact assessment (what an attacker can achieve)
- Your affected version and OS / distribution
- Any logs, screenshots, or scripts that help us reproduce
- Whether you'd like to be credited (and how)
If your finding includes sensitive data (credentials, tokens, customer info) please redact it before sending. We can provide a PGP key on request.
If email is impractical, you may use GitHub's private vulnerability reporting on this repository.
| Target | |
|---|---|
| Acknowledgement of your report | Within 48 hours |
| Initial triage and severity assessment | Within 5 business days |
| Status updates while we investigate | Weekly, or sooner on critical issues |
| Fix released for critical issues | Typically within 14 days of confirmation |
| Coordinated disclosure window | 90 days by default (negotiable) |
We follow a coordinated-disclosure model: we'd like to ship a fix and notify operators before details become public. If you have a hard deadline (conference talk, blog post, regulatory requirement), tell us and we'll work to meet it.
- The Panelica panel (web UI, REST APIs, internal services)
- Default configuration of bundled services managed by Panelica (NGINX, Apache, PHP-FPM, MySQL, PostgreSQL, Redis, BIND, Postfix, Dovecot, ProFTPD, ModSecurity rules, Fail2ban, etc.)
- Update / installer scripts published from https://panelica.com
- Authentication, RBAC, isolation boundaries between users
- Migration tooling that touches customer data
- Vulnerabilities that require physical access to the server
- Issues that require root-equivalent access the attacker already has
- Defects in third-party services we package but did not author (please report those upstream)
- Self-XSS, missing security headers without a real attack path, clickjacking on non-sensitive pages
- Reports generated by automated scanners with no demonstrated impact
- Attacks against demo or staging instances run by Panelica
- DDoS, volumetric attacks, social engineering, physical attacks
- Findings on pirated or unlicensed installations
We maintain a public hall of fame for researchers who help us. If you'd like to be listed (with a name and optional link), say so in your report. We do not currently run a paid bug bounty programme, but for high-impact findings we may offer:
- Public credit in the security advisory and changelog
- Panelica licence credit
- Project swag
We will not pursue legal action against good-faith security researchers who:
- Make a genuine effort to avoid privacy violations, service disruption, and data destruction
- Only interact with systems they own, or have explicit permission to test
- Give us reasonable time to fix the issue before public disclosure
- Do not exploit findings beyond what's necessary to demonstrate the issue
When in doubt, ask first — security@panelica.com — and we'll work it out together.
Thanks for helping keep Panelica and its users safe.