alunduil/zfs-replicate

Security researchers have a documented private disclosure path

Open

#410 opened on Apr 23, 2026

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Python (5 forks)auto 404
enhancementgood first issue

Repository metrics

Stars
 (24 stars)
PR merge metrics
 (PR metrics pending)

Description

User story

As a security researcher, I want a documented disclosure path so that I can report a vulnerability privately instead of opening a public issue on a tool that shells out to ssh and zfs with user-controlled input.

Why

There is no SECURITY.md today. GitHub's private vulnerability reporting is not enabled. zfs-replicate runs subprocess.Popen(shell=True, …) with hostnames and dataset names interpolated into the command string (zfs/replicate/snapshot/send.py:35, others). That's a security-adjacent surface; a disclosure channel is table stakes.

Acceptance criteria

  • SECURITY.md exists at the repo root covering: supported versions, how to report (email, GitHub private report, or both), expected response time, credit policy.
  • GitHub private vulnerability reporting is enabled in repo settings (checkbox under Security).
  • README's "Getting support" section links to SECURITY.md.

Out of scope

  • Fixing the shell=True usage — tracked as the argv-list Command builder issue.

Notes

  • Target release: none — chore
  • Source: modernization assessment §4.

Contributor guide