Security — Mezzanine

Responsible disclosure

Found a vulnerability? Email security@mezzanine.cloud with details and reproduction steps. Please give us reasonable time to fix before public disclosure. We will acknowledge within 72 hours and keep you updated.

How Mezzanine is built

Auth required. Multi-user accounts with bcrypt-hashed passwords, HTTP-only session cookies, and route-level role enforcement (owner / admin / moderator / viewer).
Secrets stay local. In the self-hosted edition, SSH credentials and tokens live only in your own SQLite database on your own server — never sent to us.
TLS everywhere. nginx terminates Let's Encrypt certificates with auto-renewal.
Least privilege. Deploy keys are scoped per-repository; provider tokens use the minimum required permissions.
Webhook integrity. CI/CD webhooks are HMAC-SHA256 verified.

Your responsibilities (self-hosted)

Keep your host patched, restrict SSH to keys, run a firewall, back up your mezzanine_data volume, and treat the database file as a secret. See the install guide's hardening section.

Contact

security@mezzanine.cloud