Skip to content

Security: Boomboomdunce/ctmux

Security

SECURITY.md

Security Policy

Reporting

Report suspected vulnerabilities privately through the maintainer's preferred private channel or a private security advisory if the hosting platform provides one. Do not open a public issue with active exploit details, credentials, private URLs, logs containing shell output or deployment secrets.

Supported model

ctmux self-hosted VPS relay/control-plane is designed for user-owned infrastructure. The user runs their own VPS, their own reverse proxy and their own relay data directory. There is no official hosted cloud service in the current product model.

No official hosted cloud service exists for this MVP.

Self-hosted Security Boundary

The current MVP uses HTTPS/WSS transport security, admin sessions, CSRF/Origin checks, connect-key and token storage, device revocation, node revocation and public Secure cookie enforcement.

E2EE is not claimed. The current VPS relay can see terminal plaintext, terminal metadata and notification metadata. This is acceptable only under the current self-hosted trust model where the operator trusts their own VPS. Any future E2EE claim requires a separate design, tests, migration plan, public E2E and completion audit.

For Cloudflare deployments, use Cloudflare Full strict and a valid origin certificate for the public hostname. Public deployments must use HTTPS/WSS and Secure admin cookies; HTTP-only public paths are diagnostic only and are not completion evidence.

Secret Handling

Do not share or commit:

  • private key material;
  • admin password;
  • session cookie;
  • bearer token;
  • connect key;
  • node token;
  • device token;
  • terminal ticket;
  • terminal transcript or screenshot containing sensitive shell context.

Keep real deployment env files and TLS material outside source control. deploy/key/ is intentionally ignored.

Evidence Redaction

Public run records may include hostname, public IP, non-secret command names, HTTP status, TLS metadata and private evidence pointers. They must not include live credentials, token values, cookie values, private keys or full terminal logs.

Use docs/operations/samples/remote-control-self-hosted-vps-redacted-evidence-sample.md as the current evidence style guide.

There aren't any published security advisories