Security
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| Latest release | ✓ |
| Previous minor | ✓ |
| Older versions | ✗ |
Reporting vulnerabilities
Section titled “Reporting vulnerabilities”-
Do not open a public issue
-
Contact privately
Email the maintainer directly or use GitHub’s private vulnerability reporting feature.
-
Include details
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to respond within 48 hours and will work with you to understand and address the issue.
Security considerations
Section titled “Security considerations”RouterOS API credentials
Section titled “RouterOS API credentials”- Use a dedicated user with minimal permissions (only
api,read,writepolicies) - Use TLS when possible (
mikrotik.tls: true) - Store credentials securely (environment variables or secrets management)
- Never commit credentials to version control
CrowdSec LAPI connection
Section titled “CrowdSec LAPI connection”- Use TLS certificates for LAPI connections when available
- Restrict LAPI access to trusted networks
- Rotate bouncer API keys periodically
Metrics endpoint
Section titled “Metrics endpoint”Docker security
Section titled “Docker security”- The official Docker image runs as a non-root user
- Use read-only filesystem mount where possible
- Limit container capabilities
- Use secrets management for credentials (Docker secrets, Kubernetes secrets)
Firewall rule integrity
Section titled “Firewall rule integrity”- The bouncer identifies its rules by structured comments — do not modify these comments manually
- Use the
comment_prefixoption to avoid conflicts with other tools - The bouncer performs cleanup on startup and shutdown to prevent stale rules