Security Policy

Reporting a vulnerability

Report security issues via GitHub's private vulnerability reporting:

Do not open a public issue for security vulnerabilities.

I aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for critical issues.

CloudDump handles sensitive credentials (AWS keys, database passwords, API tokens). The following are in scope:

These are by design and not considered vulnerabilities:

AWS CLI v1 is used (Debian 12 apt). v2 is not available via apt for this release.
Database credentials are passed via environment variables to pg_dump/mysqldump. This is standard practice for these tools.
GitHub token is written to a temporary file (deleted after use) because github-backup does not support environment variables.
The container requires write access to /backup. Use appropriate volume permissions in your orchestrator.