We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
We take security vulnerabilities seriously. If you discover a security vulnerability in OpenTranscribe, please follow these guidelines:
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to: [your-email@domain.com] (replace with your email)
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
- Acknowledgment: We'll acknowledge receipt of your report within 48 hours
- Investigation: We'll investigate and assess the vulnerability
- Updates: We'll provide regular updates on our progress
- Resolution: We'll work to resolve the issue as quickly as possible
- Critical vulnerabilities: 24-48 hours for initial response, 7 days for fix
- High severity: 72 hours for initial response, 14 days for fix
- Medium/Low severity: 1 week for initial response, 30 days for fix
- Keep Docker and Docker Compose updated
- Use non-root users in containers when possible
- Regularly update base images
- Scan images for vulnerabilities
- Use strong JWT secrets in production
- Enable HTTPS/TLS for all communications
- Regularly rotate API keys and secrets
- Implement rate limiting
- Encrypt sensitive data at rest
- Use secure file upload validation
- Regularly backup your data
- Monitor access logs
- Keep all dependencies updated
- Use firewalls to restrict access
- Monitor system logs
- Implement proper access controls
- OpenTranscribe processes user-uploaded audio/video files
- Files are validated for type and size
- Consider running in isolated environments for maximum security
- WhisperX models are downloaded from Hugging Face
- Verify model checksums when possible
- Keep models updated
- Use strong database passwords
- Limit database access to necessary services only
- Regularly backup database with encryption
- JWT-based authentication with secure token rotation
- Role-based access control (RBAC)
- File type validation
- Input sanitization
- CORS protection
- Rate limiting capabilities
OpenTranscribe supports multiple authentication methods for different security requirements:
| Method | Description | Use Case |
|---|---|---|
| Local | bcrypt password hashing with SHA256 pre-hash | Default for standalone deployments |
| LDAP/AD | LDAPS with service account binding | Enterprise Active Directory integration |
| OIDC/Keycloak | OAuth 2.0 with PKCE flow | Single Sign-On, federated identity |
| PKI/X.509 | Certificate-based authentication | Government systems (CAC/PIV) |
See detailed setup guides:
- TOTP Support: RFC 6238 compliant time-based one-time passwords
- Backup Codes: Emergency recovery codes (stored hashed)
- Configurable Enforcement: Can be required for specific roles or all users
- Device Trust: Remember trusted devices to reduce friction
Password Policies:
- Minimum length (configurable, default 12 characters)
- Complexity requirements (uppercase, lowercase, numbers, symbols)
- Password history (prevents reuse of last N passwords)
- Expiration policies (configurable, optional)
- Common password blacklist
Implementation:
- bcrypt_sha256 hashing (overcomes bcrypt's 72-byte limit)
- Automatic hash algorithm upgrade on login
- Secure password reset with time-limited tokens
- Configurable failed attempt threshold (default: 5 attempts)
- Progressive lockout duration
- Automatic unlock after timeout
- Admin override capability
- Lockout events logged for security monitoring
- Short-lived access tokens (configurable expiration)
- Refresh token rotation on use
- Secure token storage recommendations
- Session invalidation on password change
- Concurrent session limits (optional)
Authentication endpoints are protected with rate limiting:
- Login attempts: Configurable per-IP and per-user limits
- Registration: Prevents mass account creation
- Password reset: Prevents enumeration attacks
- API endpoints: Configurable limits per endpoint
All authentication events are logged for security monitoring:
- Login attempts (success/failure)
- Password changes
- MFA enrollment/removal
- Account lockouts
- Session creation/termination
- Administrative actions
Log format supports integration with SIEM systems.
OpenTranscribe includes features to support FedRAMP compliance requirements:
- Classification banners (configurable levels: UNCLASSIFIED, CUI, SECRET, TOP SECRET)
- System use notifications displayed before login
- Customizable banner text and colors
- Multi-factor authentication (TOTP)
- PKI/CAC support for government systems
- Strong authentication for privileged users
- Password complexity policies
- Password history enforcement
- Authenticator feedback protection (no password hints)
- Password expiration policies
- Configurable session timeouts
- Automatic logout on inactivity
- Session termination on logout
- Comprehensive audit logging
- Timestamp and user identification
- Event type and outcome recording
- Source IP address logging
For testing compliance features, see TESTING_CHECKLIST.md.
We appreciate the security research community's efforts to improve OpenTranscribe's security. We're committed to working with researchers and will acknowledge their contributions (with their permission) in our security advisories.
Thank you for helping keep OpenTranscribe secure!