Skip to content

Security: darknodebros/EleSync

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.7.x
1.6.x
< 1.6

Only the latest patch release within a supported minor version receives fixes.

Reporting a Vulnerability

Do not open a public issue for security vulnerabilities.

Email Bertoferran@gmail.com with:

  1. A description of the vulnerability
  2. Steps to reproduce
  3. The version(s) affected
  4. Any suggested fix (optional but appreciated)

You can expect an acknowledgement within 48 hours and a status update within 7 days. If the vulnerability is accepted, a fix will be released as a patch and credited in the changelog (unless you prefer anonymity).

Scope

EleSync is a local-first tool. The primary attack surfaces are:

  • ele serve --transport http — the remote MCP transport. Use ELESYNC_TOKEN for bearer-token auth and --allowed-host for DNS-rebinding protection. Never expose without TLS.
  • ele web with --host 0.0.0.0 — the web dashboard bound to all interfaces. Enable authentication (ele web adduser) before exposing to the network.
  • Import adapters — parsing untrusted JSON/CSV exports. Malformed input should raise a clean error, never execute code.
  • Encryption — XSalsa20-Poly1305 + argon2id via libsodium. The passphrase is never stored; keys are derived in memory only.

Disclosure

We follow coordinated disclosure. Fixes ship before details are published.

There aren't any published security advisories