alunduil/zfs-replicate
View on GitHubSecurity researchers have a documented private disclosure path
Open
#410 opened on Apr 23, 2026
enhancementgood first issue
Repository metrics
- Stars
- (24 stars)
- PR merge metrics
- (PR metrics pending)
Description
User story
As a security researcher, I want a documented disclosure path so that I can report a vulnerability privately instead of opening a public issue on a tool that shells out to ssh and zfs with user-controlled input.
Why
There is no SECURITY.md today. GitHub's private vulnerability reporting is not enabled. zfs-replicate runs subprocess.Popen(shell=True, …) with hostnames and dataset names interpolated into the command string (zfs/replicate/snapshot/send.py:35, others). That's a security-adjacent surface; a disclosure channel is table stakes.
Acceptance criteria
-
SECURITY.mdexists at the repo root covering: supported versions, how to report (email, GitHub private report, or both), expected response time, credit policy. - GitHub private vulnerability reporting is enabled in repo settings (checkbox under Security).
- README's "Getting support" section links to
SECURITY.md.
Out of scope
- Fixing the
shell=Trueusage — tracked as the argv-listCommandbuilder issue.
Notes
- Target release: none — chore
- Source: modernization assessment §4.