RigForge compiles XMRig from upstream source and applies privileged system tuning — it runs as root, configures kernel HugePages and MSR access, and installs a systemd service. Because of that footprint, we take security reports seriously and appreciate responsible disclosure.

No telemetry, ever. RigForge never phones home — there is no analytics, no version ping, and no usage beacon. The only outbound connections it makes are to your pool, to the pinned XMRig source on GitHub (a shallow clone whose commit is verified against a hardcoded hash before it's built), and to your distro's package mirrors. The XMRig developer donation defaults to 1% — XMRig's own upstream default, not a RigForge markup — goes to the XMRig project's address (RigForge substitutes no wallet of its own into the mining path), and is set to 0 with "DONATION": 0 in config.json.

The worker stats API (:8080). Each worker runs XMRig's HTTP API so a Pithead dashboard can read per-rig stats over the LAN. Know exactly what it is:

• Read-only. It's configured restricted: true — the API can be read but never used to control the miner (no remote pause, config change, or shutdown).
• Token-gated. Reads require a bearer token (the rig name by default), so it isn't an open endpoint.
• LAN-bound by default. It binds 0.0.0.0:8080 because the Pithead dashboard polls each worker from the stack host. The data it can return is mining stats: hashrate, the configured pool URL, the worker label, and the CPU model.

Not running Pithead? Nothing else needs the port — tune and doctor read the API over 127.0.0.1. So if you mine solo or to a public pool, you can firewall :8080 off entirely without losing anything:

sudo ufw deny 8080/tcp          # block it outright …
sudo ufw allow from <DASHBOARD_IP> to any port 8080 proto tcp   # … or scope it to one host

Only the latest main is supported. Please reproduce against current main before reporting.

Please do not open a public issue for security problems.

Instead, use GitHub's private vulnerability reporting on this repository:

1. Go to the Security tab.
2. Click Report a vulnerability (under Security Advisories).
3. Describe the issue, the affected version/commit, and steps to reproduce.

We'll acknowledge your report, investigate, and keep you updated on a fix and disclosure timeline. Thanks for helping keep RigForge users safe.