Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/pixlcore/xyops/llms.txt

Use this file to discover all available pages before exploring further.

The xyOps team takes security very seriously. Due to the nature of how xyOps is installed on large server fleets, security is always a priority, and we aim to implement security by design.

Coordinated Vulnerability Disclosure

xyOps follows the coordinated vulnerability disclosure model when dealing with security vulnerabilities. This was previously known as responsible disclosure.
We strongly urge anyone reporting vulnerabilities to xyOps or any other project to follow this model, as it is considered a best practice by many in the security industry.

Why Coordinated Disclosure?

This process helps ensure that:
  • Users affected have an avenue to fix the issue as close to public disclosure as possible
  • The attack surface is not increased via improved attacker knowledge
  • Diligent administrators have time to patch before exploits become public

Reporting a Vulnerability

If you believe you have identified a security vulnerability or security-related bug with xyOps:
  • Do NOT open a public GitHub issue
  • Do NOT notify us in public forums
  • Do NOT disclose the issue to third parties
Please make every effort to contact us privately using one of the methods below.

Contact Options

Users can utilize the security@pixlcore.com email address to privately report a vulnerability.Best for: Users who do not have a GitHub accountAccess: This email account is only accessible by members of the core team for the purpose of disclosing security vulnerabilities and issues within the xyOps codebase.What to include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up

Disclosure Process

Here’s what happens when you report a security vulnerability:
1

Report Received

The user privately reports a potential vulnerability.
2

Acknowledgment

The report is acknowledged as received.
3

Initial Review

The report is reviewed to ascertain if additional information is required. If so:
  • The user is informed that additional information is needed
  • The user privately adds the additional information
  • The process continues with another review cycle
4

Reproduction

The vulnerability is reproduced by the team.
5

Patch Development

The vulnerability is patched, and if possible, the user reporting the bug is given access to:
  • Fixed binary
  • Docker image
  • Git patch
6

Verification

The patch is confirmed to resolve the vulnerability.
7

Release

The fix is released and users are notified that they should update urgently.
8

Public Disclosure

The security advisory is published when (whichever happens sooner):
  • The CVE details are published by MITRE, NIST, etc.
  • Roughly 7 days after users have been notified the update is available

Credit and Recognition

Users who report bugs will, at their discretion, be credited for the discovery.
You do not have to be credited if you wish to remain anonymous.
Where credit is given:

Security Best Practices

When deploying xyOps, follow these security best practices:

Installation Security

  • Use strong passwords for all user accounts
  • Enable multi-factor authentication where possible
  • Limit administrator privileges to necessary users only
  • Regularly review and audit user access
  • Use HTTPS/TLS for all web traffic
  • Configure firewall rules to restrict access
  • Use VPN or private networks for satellite connections
  • Implement IP-based ACLs where appropriate
  • Store credentials in the Secrets vault
  • Never hardcode passwords in plugins or scripts
  • Rotate credentials regularly
  • Use environment variables for sensitive configuration

Configuration Security

  • Enable HTTPS with valid TLS certificates
  • Configure appropriate session timeouts
  • Use secure cookie settings
  • Implement rate limiting on API endpoints
  • Use external storage (S3, MinIO) for production
  • Encrypt data at rest where possible
  • Implement regular backups
  • Restrict database access to localhost where possible
  • Use API keys instead of user credentials for automation
  • Implement rate limiting on API keys
  • Rotate API keys regularly
  • Restrict API key privileges to minimum necessary

Plugin Security

Plugins execute with full system access on worker servers. Only install plugins from trusted sources.
  • Review plugin source code before installation
  • Check plugin author reputation
  • Verify plugin signatures where available
  • Test plugins in a development environment first
The Shell Plugin script parameter is administrator-locked by default. This means:
  • Only administrators can modify shell scripts
  • Non-admin users can run pre-approved scripts
  • This prevents privilege escalation via script modification

Monitoring and Auditing

  • Enable comprehensive activity logging
  • Monitor for suspicious activity
  • Review activity logs regularly
  • Set up alerts for security-relevant events
  • Subscribe to security advisories
  • Apply security patches promptly
  • Test updates in development before production
  • Maintain an update schedule

Security Features

xyOps includes several built-in security features:

Authentication

  • User authentication with password hashing
  • API key authentication for automation
  • SSO/SAML integration support
  • Session management with timeouts

Authorization

  • Role-based access control (privileges)
  • Category-based permissions
  • Parameter-level locking (admin-only fields)
  • API endpoint access control

Encryption

  • TLS/HTTPS support for web traffic
  • Encrypted WebSocket connections
  • Secret vault for credential storage
  • Secure cookie handling

Auditing

  • Comprehensive activity logging
  • User action tracking
  • API access logging
  • Job execution history

Common Security Questions

No. It’s recommended to run xyOps as a dedicated user with appropriate permissions. The installer sets up proper permissions automatically.
Store all credentials in the Secrets vault and reference them via environment variables or params. Never hardcode credentials in plugins or configuration.
Yes. xyOps supports:
  • Mutual TLS authentication
  • IP-based ACLs
  • SSO integration
  • API key authentication
Configure these features according to your security requirements.
  • Use TLS for WebSocket connections
  • Implement network segmentation
  • Use VPNs or private networks
  • Configure firewall rules to restrict access

Security Compliance

xyOps can be configured to meet various compliance requirements:
  • Audit Logging: Comprehensive activity logs for compliance tracking
  • Access Control: Granular permissions and role-based access
  • Encryption: TLS/HTTPS support for data in transit
  • Secrets Management: Secure vault for credential storage
  • Regular Updates: Active maintenance and security patching
For specific compliance requirements (SOC 2, HIPAA, etc.), consult with your security team to configure xyOps appropriately.

Additional Resources

Contact

For security-related inquiries:

Build docs developers (and LLMs) love

Get started for freeTalk to us