Skip to content

Security: thatdeercodes/parcelwatch

SECURITY.md

Security Policy

Supported versions

Parcelwatch is pre-1.0 and ships fixes on the latest release only. Always run the most recent tagged image.

Version Supported
0.1.x Yes
< 0.1 No

Reporting a vulnerability

Please report security issues privately rather than opening a public issue.

Use GitHub's private vulnerability reporting for this repository: open the Security tab and choose Report a vulnerability. This creates a private advisory visible only to the maintainers.

When reporting, include:

  • A description of the issue and its impact.
  • Steps to reproduce or a proof of concept.
  • The affected version or image tag, and your configuration if relevant.

You can expect an initial response within a few days. Once a fix is ready, a new release is published and the advisory is disclosed with credit to the reporter, unless you prefer to stay anonymous.

Scope

Parcelwatch is self-hosted software. Operators are responsible for the security of their own deployment, including:

  • Terminating TLS at a reverse proxy and not exposing plain HTTP to the internet.
  • Protecting the database and key file, which hold encrypted credentials.
  • Keeping carrier API credentials confidential.

Reports about a specific third-party deployment you do not control are out of scope. Report issues in the Parcelwatch code itself.

There aren't any published security advisories