The security policy for Pithead: supported versions, how to report a vulnerability, and the stack's default security posture.
Pithead runs a Monero full node, P2Pool, Tari merge mining, and a dashboard on your hardware, and it handles wallet payout addresses.
Security fixes land on the latest main. There are no long-lived release branches.
Make sure you're running an up-to-date checkout before reporting an issue.
| Version | Supported |
|---|---|
latest main |
✅ |
| anything older | ❌ (please update) |
Please do not open a public issue for security problems.
Use GitHub's private vulnerability reporting instead: go to the Security tab and click Report a vulnerability. This opens a private advisory visible only to the maintainers, for triage and coordinated disclosure.
Include:
- A description of the issue and its impact.
- Steps to reproduce, and the affected component (node, P2Pool, proxy, dashboard, Tor,
pitheadscript, etc.). - Any relevant logs or configuration (redact wallet addresses and secrets).
The stack's defaults:
- Least-privilege containers: every service runs as a non-root user (not uid 0); leaf services
run with
no-new-privilegesand drop all Linux capabilities; internet-facing and Docker-socket-facing services also use a read-only root filesystem. - SHA256-verified, version-pinned binaries.
- Localhost-only RPC.
- LAN-scoped (and narrowable) stratum port.
- Scoped Docker socket proxies.
- Tor for all node networking.
Report any gap in these.