| Version | Supported |
|---|---|
| 1.7.x | ✅ |
| 1.6.x | ✅ |
| < 1.6 | ❌ |
Only the latest patch release within a supported minor version receives fixes.
Do not open a public issue for security vulnerabilities.
Email Bertoferran@gmail.com with:
- A description of the vulnerability
- Steps to reproduce
- The version(s) affected
- Any suggested fix (optional but appreciated)
You can expect an acknowledgement within 48 hours and a status update within 7 days. If the vulnerability is accepted, a fix will be released as a patch and credited in the changelog (unless you prefer anonymity).
EleSync is a local-first tool. The primary attack surfaces are:
ele serve --transport http— the remote MCP transport. UseELESYNC_TOKENfor bearer-token auth and--allowed-hostfor DNS-rebinding protection. Never expose without TLS.ele webwith--host 0.0.0.0— the web dashboard bound to all interfaces. Enable authentication (ele web adduser) before exposing to the network.- Import adapters — parsing untrusted JSON/CSV exports. Malformed input should raise a clean error, never execute code.
- Encryption — XSalsa20-Poly1305 + argon2id via libsodium. The passphrase is never stored; keys are derived in memory only.
We follow coordinated disclosure. Fixes ship before details are published.