31 lines
1.2 KiB
Markdown
31 lines
1.2 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Please do not report security vulnerabilities in public GitHub issues.
|
|
|
|
Use GitHub's private vulnerability reporting for this repository when available. If that is not available to you, open a minimal GitHub issue asking for a private security contact without including exploit details, credentials, tokens, connection strings, database dumps, or screenshots containing secrets.
|
|
|
|
## What to Include
|
|
|
|
Helpful reports include:
|
|
|
|
- Affected DBX version or commit.
|
|
- Operating system and installation method.
|
|
- The impacted component, such as desktop app, Docker service, CLI, MCP server, or JDBC plugin.
|
|
- Steps to reproduce in a safe test environment.
|
|
- Impact assessment and any known workaround.
|
|
|
|
## Scope
|
|
|
|
Security-sensitive areas include:
|
|
|
|
- Connection storage, config import/export, and encryption.
|
|
- Database credential handling.
|
|
- SSH tunnel and proxy handling.
|
|
- AI provider keys and OpenAI-compatible endpoint configuration.
|
|
- MCP and CLI access to local DBX connections.
|
|
- Docker web service authentication and data directory handling.
|
|
|
|
Please avoid testing against systems you do not own or have explicit permission to assess.
|