fbf26453f2
ConsentOS — a privacy-first cookie consent management platform. Self-hosted, source-available alternative to OneTrust, Cookiebot, and CookieYes. Full standards coverage (IAB TCF v2.2, GPP v1, Google Consent Mode v2, GPC, Shopify Customer Privacy API), multi-tenant architecture with role-based access, configuration cascade (system → org → group → site → region), dark-pattern detection in the scanner, and a tamper-evident consent record audit trail. This is the initial public release. Prior development history is retained internally. See README.md for the feature list, architecture overview, and quick-start instructions. Licensed under the Elastic Licence 2.0 — self-host freely; do not resell as a managed service.
1.1 KiB
1.1 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.1.x | Yes |
Reporting a Vulnerability
If you discover a security vulnerability, please do not open a public issue.
Instead, email security@consentos.dev with:
- A description of the vulnerability
- Steps to reproduce
- Any relevant logs or screenshots
- Your assessment of severity
We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days for critical issues.
Scope
The following are in scope for security reports:
- The ConsentOS API (
apps/api/) - The consent banner script (
apps/banner/) - The scanner service (
apps/scanner/) - The admin UI (
apps/admin-ui/) - Docker and Helm deployment configurations
Responsible Disclosure
We ask that you give us reasonable time to address any reported vulnerabilities before disclosing them publicly, remembering that this is a free, open source project and not paid work. We are happy to credit researchers who report valid issues (unless you prefer to remain anonymous).