🔒 Security Policy
At Open WebUI, safeguarding the security and confidentiality of user data is our foremost concern. Our technical architecture and development processes are designed to minimize vulnerabilities and uphold the trust our stakeholders place in us. Regular assessments, codebase vetting, and systematic adoption of best practice methodologies ensure that security remains a central part of our project lifecycle.
We employ a mixture of automated and manual techniques to keep up with evolving threats, and are continuously improving our approach, including plans to integrate advanced static and dependency analysis tools. The focus is always on proactive risk management and responsible handling of any vulnerabilities reported.
Supported Versions
| Version | Supported |
|---|---|
| main | ✅ |
| others | ❌ |
Where and How to Report Security Vulnerabilities
Open WebUI’s community thrives because of people like you, people who care deeply about making software safer for everyone.
To ensure your findings truly help protect users and are addressed swiftly, please submit all security vulnerability reports only via our official GitHub security page. Any other website, service, or so-called “bounty” platform is not affiliated with us, and your important work will simply not reach those who can make a difference.
We know it can be tempting to trust platforms that make big promises, but only GitHub connects you directly to those safeguarding Open WebUI. Let’s ensure your vigilance genuinely benefits the community, report here, where it really matters.
All security vulnerabilities for Open WebUI must be reported exclusively through our official GitHub repository: https://github.com/open-webui/open-webui/security.
We are committed to maintaining a secure environment by ensuring that all security vulnerability reports are managed exclusively through our official GitHub platform. By handling disclosures centrally on GitHub, we guarantee that every report is processed transparently, efficiently, and confidentially by the project maintainers. This approach allows us to provide contributors and users with the highest level of visibility, accountability, and assurance that all security-related communications and resolutions are thoroughly documented and reliably managed. Reports submitted through any platform, channel, or third-party service outside of GitHub cannot be incorporated into our official security workflow and, as a result, may not able to contribute to the safety of Open WebUI.
Why Only GitHub?
Our commitment to a single, central reporting mechanism is rooted in both technical rigor and ethical stewardship:
- Integrity and Traceability: Managing reports solely via GitHub ensures every issue is handled within the open-source ecosystem, where the community can verify the process, outcomes, and accountability of contributors.
- User Safety: Other websites claiming to facilitate vulnerability disclosure, offer rewards, or bounty programs are not affiliated with Open WebUI. Submitting vulnerabilities to such platforms not only fails to make the project safer but can unintentionally place sensitive details at risk of misuse or unauthorized disclosure.
- Protecting the Community: When information bypasses our centralized security workflow, the project becomes more susceptible not just to unfixed exploits, but also to the spread of misleading or exploitative practices. Despite claims by outside sites to act as intermediaries or pay bounties, these entities offer no guarantees to users and may encourage questionable or unsafe behavior under the guise of incentivization. Ultimately, only disclosures made via our GitHub ensure that your expertise benefits the entire ecosystem as intended.
Reporting Guidelines
To ensure a constructive and rapid remediation process, please adhere to the following requirements:
- Submit Detailed Reports Only: Vague or generic statements such as “I found a vulnerability” without actionable details will not be accepted and are classified as spam.
- Demonstrate Understanding: Clear, concise descriptions backed by evidence of impact or exploitability are required. Please specify components, affected versions, and steps to reproduce.
- Proof of Concept Required: Submissions must include a working proof of concept (PoC). Private forks may be used for responsible disclosure—access must be shared with relevant maintainers.
- Remediation Guidance Expected: High-quality reports are most valuable when accompanied by proposed patches or direct, actionable steps for mitigation. This streamlines our review and resolution timeline, and demonstrates commitment to the project’s ongoing robustness.
Contributors who not only identify a vulnerability but also present a robust, ready-to-merge fix help accelerate our response and strengthen the community. We do recognize and prioritize such efforts, and there may be additional opportunities for appreciation for those who provide comprehensive solutions.
All non-compliant or off-topic submissions will be closed. Repeat misuse may result in being banned from contributing to the project.
Communication and Compensation
All threat assessments and follow-up are reviewed by the core project team, allowing us to directly evaluate, prioritize, and address the issue. While we promote responsible disclosure and highly value skilled contributions, the process—including recognition—remains at the sole discretion of the maintainers, and is handled within GitHub. Contributors offering actionable fixes may receive additional acknowledgment depending on the impact of their report.
Product Security Process
- Internal and periodic external reviews of our architecture and pipelines
- Automated and manual testing for both front-end and back-end
- Proactive risk management and code reviews as part of ongoing development
- Continuous improvements and integration of advanced tooling for static/dynamic analysis
If you have an immediate and actionable security concern, please create a report in our security advisory portal or issue tracker.