Security
Private reporting guidance and supported-version notes from the current repo policy.
Supported versions
| Version | Supported |
|---|---|
| 1.0.x | Yes |
| < 1.0 | No |
Reporting a vulnerability
The upstream security policy asks reporters not to open a public GitHub issue for a security vulnerability.
Preferred private path
- Use GitHub Security Advisories for private reporting on the repository.
Current policy note
- The repository's
SECURITY.mdreserves a dedicated security email, but the actual address is not published there yet.
Include in your report
- Clear description of the vulnerability
- Steps to reproduce
- Impact and affected version
- OS, Python version, and DBC Utility version
- Minimal proof of concept if available
- Suggested fix if you already have one
Response timeline
- Initial response target: within 48 hours
- Status update target: within 1 week
- Fix timeline: depends on severity and complexity
Security best practices
For users
- Keep DBC Utility updated
- Only load DBC files from trusted sources
- Be careful when editing critical production databases
For developers
- Validate input data
- Keep dependencies current
- Review code for security impact before release
Security features noted in the repo policy
- Input validation for DBC file handling
- File type checking
- Error handling intended to avoid leaking sensitive details
- Dependency maintenance for security-sensitive packages