Skip to content

Security: haydenk/gridsync

Security

SECURITY.md

Security Policy

Supported versions

GridSync is in active development pre-1.0. Security fixes will be applied to:

  • The latest tagged release
  • The develop branch

Older tagged releases will not receive backports unless explicitly noted in the changelog.

Reporting a vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Use one of the following channels:

  1. Preferred: GitHub private vulnerability reporting — opens a private advisory only the maintainers can see.
  2. Alternate: Email the maintainer (see the CODEOWNERS file or the GitHub profile of the maintainer listed there).

Please include:

  • A description of the vulnerability and its impact
  • Steps to reproduce, or a proof-of-concept if you have one
  • The affected version(s) or commit
  • Any suggested mitigation

What to expect

  • Acknowledgement of the report within a reasonable window (this is a small project — please be patient).
  • A discussion of severity and remediation timeline in the private advisory.
  • Public disclosure coordinated with the reporter once a fix is available.
  • Credit in the changelog and release notes if you'd like it (or anonymous if you prefer).

Scope

In scope:

  • The HTTP API (gridsync-api / esiid-api) and any auth, input handling, or response handling code
  • The downloader and ETL binaries when run against trusted inputs
  • Database schema and migrations (SQL injection, privilege escalation, etc.)
  • Dependency vulnerabilities surfaced by cargo audit or Dependabot

Out of scope:

  • The ERCOT public data itself — it is published by ERCOT and is not sensitive
  • Issues requiring physical access to the server running GridSync
  • Denial of service from unbounded queries against a server you control (run a reverse proxy / rate limiter — see issue #23)
  • Findings against forks or modified deployments

Hardening guidance for operators

If you are deploying GridSync, also consider:

  • Run behind a reverse proxy that enforces TLS, rate limits, and request size caps
  • Restrict the Postgres role used by the API to SELECT only on service_points / esiids
  • Keep DATABASE_URL and other env vars out of process listings and shell history
  • Subscribe to repository releases to receive security-relevant updates

There aren't any published security advisories