We take the security of this project seriously. If you discover a security vulnerability, please follow responsible disclosure.

1. Do NOT open a public issue for security vulnerabilities
2. Report privately via GitHub Security Advisories
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix timeline: Depends on severity
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 60 days

This project involves Docker containerization, so security concerns may include:

• Container escape vulnerabilities
• Privilege escalation in Docker configs
• Exposed ports or services
• Insecure default configurations
• Dependency vulnerabilities (PHP extensions, base images)
• Credential handling in entrypoint scripts
• Nginx/Apache misconfigurations

• WordPress core vulnerabilities (report to WordPress)
• Third-party plugin/theme vulnerabilities
• MariaDB or Redis upstream vulnerabilities

When deploying this stack:

1. Never commit .env files or credentials to the repository
2. Use strong, unique passwords for all services
3. Keep base images updated (docker compose pull regularly)
4. Run behind a reverse proxy with TLS termination
5. Restrict network access to management ports
6. Monitor container logs for suspicious activity
7. Use FLUSH_REDIS_ON_STARTUP=true after credential changes

We appreciate responsible disclosure from the security community. Contributors who report valid vulnerabilities will be credited (with permission) in release notes.