| Version | Supported |
|---|---|
| 0.1.x | β Supported |
| < 0.1 | β Unsupported |
If you discover a security vulnerability, please report it responsibly:
- Send to: tom@sapletta.com
- Subject:
Security vulnerability in getv - Include as much detail as possible
- Create a private issue on GitHub
- Mark as "Security vulnerability"
- Limit access to maintainers only
- Type of vulnerability (XSS, injection, etc.)
- Steps to reproduce
- Potential impact
- Environment details (OS, Python version)
- Any screenshots or logs
- Critical: Within 24 hours
- High: Within 48 hours
- Medium: Within 1 week
- Low: Within 2 weeks
We follow responsible disclosure:
- Acknowledge receipt within 24 hours
- Assess vulnerability severity
- Develop fix (typically within 1-2 weeks)
- Coordinate disclosure with reporter
- Release security update
- Public disclosure (after fix is available)
- Keep getv updated to latest version
- Use encryption for sensitive data (
getv[crypto]) - Set proper file permissions on profile directories
- Regularly rotate encryption keys
- Audit profiles for unused sensitive data
# Always mask sensitive values in logs
from getv.security import mask_dict
# Use encryption for transport
from getv.security import encrypt_store, generate_key
# Validate input
def validate_profile_name(name: str) -> bool:
return bool(re.match(r'^[a-zA-Z0-9_-]+$', name))- Automatic secret detection - masks passwords, tokens, keys
- Fernet encryption - AES-128 for sensitive values
- File permissions - secure defaults for encryption keys
- Input validation - profile name sanitization
Keys matching these patterns are automatically masked:
PASSWORD,PASSWDSECRET,TOKENAPI_KEY,APIKEYPRIVATE_KEY,ACCESS_KEYAUTH,CREDENTIAL
We consider the following as security vulnerabilities:
- Information disclosure - unintended exposure of sensitive data
- Injection - command or code injection vulnerabilities
- Authentication bypass - unauthorized access to profiles
- Encryption weaknesses - flaws in cryptographic implementation
- Path traversal - unauthorized file system access
- DoS - denial of service vulnerabilities
These are typically not security vulnerabilities:
- Missing input validation (unless exploitable)
- Performance issues
- UI/UX problems
- Feature requests
- Documentation errors
Security updates are released as:
- Patch versions (x.y.Z) for security fixes
- Security advisories on GitHub
- Email notifications for critical issues
Follow these steps to stay secure:
- Watch the repository for releases
- Subscribe to security advisories
- Update promptly when security versions are released
- Review changelog for security fixes
- Lead: Tom Sapletta (tom@sapletta.com)
- Response: Within 24 hours for critical issues
We thank security researchers who help us keep getv secure. All valid security reports will be acknowledged in our security advisories (with permission).
For questions about this security policy, email tom@sapletta.com