| Version | Supported |
|---|---|
| 0.5.x | ✅ |
| < 0.5.0 | ❌ |
This application requires I2C hardware access, which typically requires elevated privileges:
- The application must run as root or have appropriate I2C permissions
- Systemd service runs with restricted capabilities where possible
- See systemd service file for security hardening options
- Configuration files may contain sensitive information
- Set appropriate file permissions:
chmod 600 /etc/i2c-display/config.json - The application validates all configuration inputs
- Environment variables can override sensitive settings
If metrics are enabled:
- The metrics endpoint exposes system information
- Bind to localhost only in production:
"address": "127.0.0.1:9090" - Use firewall rules to restrict access
- Consider authentication proxy if exposing externally
- All dependencies are tracked in
go.modandgo.sum - Dependabot monitors for security updates
- Regular security scans via CodeQL and gosec in CI/CD
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
-
GitHub Security Advisories (preferred)
- Go to https://github.com/ausil/i2c-display/security/advisories
- Click "Report a vulnerability"
-
Direct Email
- Contact the maintainer directly
- Include detailed information about the vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Next release cycle
- We follow coordinated disclosure
- We will credit reporters (unless anonymity is requested)
- Security advisories will be published after fixes are released
- CVEs will be requested for significant vulnerabilities
-
Keep Updated
# Check for updates regularly sudo systemctl stop i2c-display # Update package sudo systemctl start i2c-display
-
Secure Configuration
# Set correct permissions sudo chmod 600 /etc/i2c-display/config.json sudo chown root:root /etc/i2c-display/config.json -
Monitor Logs
# Check for suspicious activity sudo journalctl -u i2c-display -f -
Restrict Metrics Access
{ "metrics": { "enabled": true, "address": "127.0.0.1:9090" // Localhost only } }
-
Input Validation
- All configuration inputs are validated
- Bounds checking on all array accesses
- Safe type conversions
-
Error Handling
- Never expose sensitive information in errors
- Log errors with appropriate context
- Fail securely
-
Dependencies
- Review dependency changes
- Keep dependencies minimal
- Monitor security advisories
-
Code Review
- All changes require review
- Security-sensitive changes require thorough review
- Automated security scanning in CI
The provided systemd service includes security hardening:
[Service]
# Restrict privileges
NoNewPrivileges=true
# Filesystem restrictions
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/dev/i2c-1
PrivateTmp=true
# Additional hardening (optional, may need adjustment)
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=trueAdjust based on your security requirements and system capabilities.
- I2C Access Required - Application needs I2C device access
- Root or i2c Group - Must run with appropriate permissions
- Local System Only - Designed for local SBC use, not network exposure
- Hardware Dependencies - Behavior depends on I2C hardware availability
- Application runs with minimum required privileges
- Configuration file permissions are restrictive (600)
- Metrics endpoint (if enabled) is localhost-only or firewalled
- Logs are monitored for anomalies
- System is kept up to date
- Only trusted displays are connected (I2C security)
Thank you for helping keep this project secure!