Parcelwatch is pre-1.0 and ships fixes on the latest release only. Always run the most recent tagged image.
| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
Please report security issues privately rather than opening a public issue.
Use GitHub's private vulnerability reporting for this repository: open the Security tab and choose Report a vulnerability. This creates a private advisory visible only to the maintainers.
When reporting, include:
- A description of the issue and its impact.
- Steps to reproduce or a proof of concept.
- The affected version or image tag, and your configuration if relevant.
You can expect an initial response within a few days. Once a fix is ready, a new release is published and the advisory is disclosed with credit to the reporter, unless you prefer to stay anonymous.
Parcelwatch is self-hosted software. Operators are responsible for the security of their own deployment, including:
- Terminating TLS at a reverse proxy and not exposing plain HTTP to the internet.
- Protecting the database and key file, which hold encrypted credentials.
- Keeping carrier API credentials confidential.
Reports about a specific third-party deployment you do not control are out of scope. Report issues in the Parcelwatch code itself.