| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in dfo, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
- GitHub Private Advisory (preferred): Use GitHub Security Advisories to report the issue privately.
- Email: Send details to the maintainer via the email listed on the GitHub profile.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix or mitigation: Depends on severity, typically within 30 days
Security issues in the following areas are in scope:
- Command injection or arbitrary code execution
- Credential or secret exposure
- Unsafe handling of Azure SDK credentials
- DuckDB injection or data corruption
- Unsafe defaults in execution commands
- Issues requiring physical access to the machine running dfo
- Social engineering attacks
- Denial of service against local CLI usage