Skip to content

Security: cold-code-labs/heimdall

Security

SECURITY.md

Security Policy

Status

Heimdall is beta. It runs in production at Cold Code Labs but is pre-1.0; treat any self-hosted deployment as your own responsibility to secure.

Reporting a vulnerability

Please do not open a public issue for security vulnerabilities.

Instead, use GitHub's private vulnerability reporting on this repository:

  • Go to the Security tab → Report a vulnerability.

This opens a private channel with the maintainers. Please include:

  • a description of the issue and its impact,
  • steps to reproduce (or a proof of concept), and
  • any affected versions or configurations you're aware of.

We'll acknowledge the report, investigate, and coordinate a fix and disclosure timeline with you.

Scope

Heimdall holds powerful credentials — it drives a deployment engine, provisions a data plane, and stores secrets. Reports are most useful when they concern Heimdall's own code and defaults — for example:

  • the control-plane API and its authentication (HEIMDALL_INTERNAL_TOKEN),
  • the routing-agent endpoints and their token,
  • Ice Vault encryption and audit,
  • how tenant secrets are injected and exposed,
  • per-app isolation across the modules.

Misconfiguration of a self-hosted deployment, or vulnerabilities in the upstream components Heimdall conducts (Coolify, Traefik, Logto, Hauldr), should be reported to the relevant project — though we're happy to help triage if you're unsure.

There aren't any published security advisories