alunduil/zfs-replicate

Security researchers have a documented private disclosure path

Open

#410 aperta il 23 apr 2026

Vedi su GitHub
 (0 commenti) (0 reazioni) (0 assegnatari)Python (5 fork)auto 404
enhancementgood first issue

Metriche repository

Star
 (24 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

User story

As a security researcher, I want a documented disclosure path so that I can report a vulnerability privately instead of opening a public issue on a tool that shells out to ssh and zfs with user-controlled input.

Why

There is no SECURITY.md today. GitHub's private vulnerability reporting is not enabled. zfs-replicate runs subprocess.Popen(shell=True, …) with hostnames and dataset names interpolated into the command string (zfs/replicate/snapshot/send.py:35, others). That's a security-adjacent surface; a disclosure channel is table stakes.

Acceptance criteria

  • SECURITY.md exists at the repo root covering: supported versions, how to report (email, GitHub private report, or both), expected response time, credit policy.
  • GitHub private vulnerability reporting is enabled in repo settings (checkbox under Security).
  • README's "Getting support" section links to SECURITY.md.

Out of scope

  • Fixing the shell=True usage — tracked as the argv-list Command builder issue.

Notes

  • Target release: none — chore
  • Source: modernization assessment §4.

Guida contributor