We release patches for security vulnerabilities. Currently supported versions:

We take the security of Migration Tool seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Do not open a public GitHub issue for security vulnerabilities
• Do not disclose the vulnerability publicly until it has been addressed

Email: your.email@example.com

Subject: [SECURITY] Brief description of the vulnerability

Include:

1. Description - Detailed description of the vulnerability
2. Impact - What an attacker could achieve
3. Steps to Reproduce - Detailed steps to reproduce the issue
4. Proof of Concept - Code, screenshots, or other evidence
5. Suggested Fix - If you have ideas on how to fix it
6. Your Details - Name and contact info (optional for credit)

Subject: [SECURITY] SQL Injection in migration endpoint

Description:
The migration endpoint is vulnerable to SQL injection through the sourceDb parameter.

Impact:
An attacker could execute arbitrary SQL queries on the source database.

Steps to Reproduce:
1. Send POST request to /api/jobs/migrate
2. Include malicious SQL in sourceDb URL
3. SQL is executed without sanitization

Proof of Concept:
[Code or screenshots]

Suggested Fix:
Sanitize all database URL parameters before processing.

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Status Updates: Every 2 weeks
• Fix Release: Depends on severity

• Remote code execution
• Authentication bypass
• Data breach potential
• Response: Immediate (24-48 hours)

• Privilege escalation
• Sensitive data exposure
• DoS attacks
• Response: 1-2 weeks

• Information disclosure
• Security misconfiguration
• Response: 2-4 weeks

• Minor information leakage
• Best practice violations
• Response: Next release cycle

1. Environment Variables

   • Never commit .env files
   • Use strong Redis passwords in production
   • Rotate credentials regularly

2. Database Credentials

   • Use read-only accounts when possible
   • Limit network access to databases
   • Use SSL/TLS for database connections

3. Redis Security

   • Enable authentication (requirepass)
   • Bind to localhost in development
   • Use Redis ACLs in production
   • Enable SSL/TLS for Redis connections

4. API Security

   • Implement rate limiting
   • Use HTTPS in production
   • Validate all input data
   • Implement authentication/authorization

5. Docker Security

   • Don't run containers as root
   • Scan images for vulnerabilities
   • Keep base images updated
   • Use secrets management

1. Code Security

   // ✅ Good - Parameterized queries
   await db.query('SELECT * FROM users WHERE id = ?', [userId]);
   
   // ❌ Bad - String concatenation
   await db.query(`SELECT * FROM users WHERE id = ${userId}`);

2. Dependencies

   • Regularly update dependencies
   • Run bun audit before releases
   • Pin major versions
   • Review dependency changes

3. Error Handling

   // ✅ Good - Don't leak sensitive info
   res.status(500).json({ error: 'Internal server error' });
   
   // ❌ Bad - Exposes internals
   res.status(500).json({ error: error.stack });

4. Input Validation

   • Validate all user input
   • Sanitize database URLs
   • Check file paths for traversal
   • Validate job data schemas

Risk: Database URLs containing credentials are stored in Redis.

Mitigation:

• Use Redis with authentication
• Encrypt sensitive data at rest
• Use short-lived credentials when possible
• Implement job data encryption (planned)

Risk: Unauthorized Redis access could expose job data.

Mitigation:

• Enable Redis authentication
• Use network isolation
• Implement Redis ACLs
• Monitor Redis access logs

Risk: Processing untrusted database schemas.

Mitigation:

• Run workers in isolated environments
• Implement resource limits
• Validate schema data
• Use read-only database connections when possible

Security updates will be announced:

• GitHub Security Advisories
• Release notes
• Email (for reported vulnerabilities)

We appreciate the security research community's efforts in responsibly disclosing vulnerabilities. Security researchers will be acknowledged in:

• CHANGELOG.md
• Security advisory
• GitHub security credits

For security-related questions:

• Email: your.email@example.com
• PGP Key: [Optional - Add PGP key fingerprint]

Last updated: 2026-02-05