Heimdall is beta. It runs in production at Cold Code Labs but is pre-1.0; treat any self-hosted deployment as your own responsibility to secure.
Please do not open a public issue for security vulnerabilities.
Instead, use GitHub's private vulnerability reporting on this repository:
- Go to the Security tab → Report a vulnerability.
This opens a private channel with the maintainers. Please include:
- a description of the issue and its impact,
- steps to reproduce (or a proof of concept), and
- any affected versions or configurations you're aware of.
We'll acknowledge the report, investigate, and coordinate a fix and disclosure timeline with you.
Heimdall holds powerful credentials — it drives a deployment engine, provisions a data plane, and stores secrets. Reports are most useful when they concern Heimdall's own code and defaults — for example:
- the control-plane API and its authentication (
HEIMDALL_INTERNAL_TOKEN), - the routing-agent endpoints and their token,
- Ice Vault encryption and audit,
- how tenant secrets are injected and exposed,
- per-app isolation across the modules.
Misconfiguration of a self-hosted deployment, or vulnerabilities in the upstream components Heimdall conducts (Coolify, Traefik, Logto, Hauldr), should be reported to the relevant project — though we're happy to help triage if you're unsure.