Skip to content

Security: PlusOne/dbbackup

Security

SECURITY.md

Security Policy

Supported Versions

We release security updates for the following versions:

Version Supported
3.1.x
3.0.x
< 3.0

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Preferred Method: Private Disclosure

Email: security@uuxo.net

Include in your report:

  1. Description - Clear description of the vulnerability
  2. Impact - What an attacker could achieve
  3. Reproduction - Step-by-step instructions to reproduce
  4. Version - Affected dbbackup version(s)
  5. Environment - OS, database type, configuration
  6. Proof of Concept - Code or commands demonstrating the issue (if applicable)

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 1-3 days
    • High: 1-2 weeks
    • Medium: 2-4 weeks
    • Low: Next release cycle

Severity Levels

Critical:

  • Remote code execution
  • SQL injection
  • Arbitrary file read/write
  • Authentication bypass
  • Encryption key exposure

High:

  • Privilege escalation
  • Information disclosure (sensitive data)
  • Denial of service (easily exploitable)

Medium:

  • Information disclosure (non-sensitive)
  • Denial of service (requires complex conditions)
  • CSRF attacks

Low:

  • Information disclosure (minimal impact)
  • Issues requiring local access

Security Best Practices

For Users

Encryption Keys:

  • ✅ Generate strong 32-byte keys: head -c 32 /dev/urandom | base64 > key.file
  • ✅ Store keys securely (KMS, HSM, or encrypted filesystem)
  • ✅ Use unique keys per environment
  • ❌ Never commit keys to version control
  • ❌ Never share keys over unencrypted channels

Database Credentials:

  • ✅ Use read-only accounts for backups when possible
  • ✅ Rotate credentials regularly
  • ✅ Use environment variables or secure config files
  • ❌ Never hardcode credentials in scripts
  • ❌ Avoid using root/admin accounts

Backup Storage:

  • ✅ Encrypt backups with --encrypt flag
  • ✅ Use secure cloud storage with encryption at rest
  • ✅ Implement proper access controls (IAM, ACLs)
  • ✅ Enable backup retention and versioning
  • ❌ Never store unencrypted backups on public storage

Docker Usage:

  • ✅ Use specific version tags (:v3.2.0 not :latest)
  • ✅ Run as non-root user (default in our image)
  • ✅ Mount volumes read-only when possible
  • ✅ Use Docker secrets for credentials
  • ❌ Don't run with --privileged unless necessary

For Developers

Code Security:

  • Always validate user input
  • Use parameterized queries (no SQL injection)
  • Sanitize file paths (no directory traversal)
  • Handle errors securely (no sensitive data in logs)
  • Use crypto/rand for random generation

Dependencies:

  • Keep dependencies updated
  • Review security advisories for Go packages
  • Use go mod verify to check integrity
  • Scan for vulnerabilities with govulncheck

Secrets in Code:

  • Never commit secrets to git
  • Use .gitignore for sensitive files
  • Rotate any accidentally exposed credentials
  • Use environment variables for configuration

Known Security Considerations

Encryption

AES-256-GCM:

  • Uses authenticated encryption (prevents tampering)
  • PBKDF2 with 600,000 iterations (OWASP 2023 recommendation)
  • Unique nonce per encryption operation
  • Secure random generation (crypto/rand)

Key Management:

  • Keys are NOT stored by dbbackup
  • Users responsible for key storage and management
  • Support for multiple key sources (file, env, passphrase)

Database Access

Credential Handling:

  • Credentials passed via environment variables
  • Connection strings support sslmode/ssl options
  • Support for certificate-based authentication

Network Security:

  • Supports SSL/TLS for database connections
  • No credential caching or persistence
  • Connections closed immediately after use

Cloud Storage

Cloud Provider Security:

  • Uses official SDKs (AWS, Azure, Google)
  • Supports IAM roles and managed identities
  • Respects provider encryption settings
  • No credential storage (uses provider auth)

Security Audit History

Date Auditor Scope Status
2025-11-26 Internal Review Initial release audit ✅ Pass

Vulnerability Disclosure Policy

Coordinated Disclosure:

  1. Reporter submits vulnerability privately
  2. We confirm and assess severity
  3. We develop and test a fix
  4. We prepare security advisory
  5. We release patched version
  6. We publish security advisory
  7. Reporter receives credit (if desired)

Public Disclosure:

  • Security advisories published after fix is available
  • CVE requested for critical/high severity issues
  • Credit given to reporter (unless anonymity requested)

Security Updates

Notification Channels:

  • Security advisories on repository
  • Release notes for patched versions
  • Email notification (for enterprise users)

Updating:

# Check current version
./dbbackup --version

# Download latest version
wget https://git.uuxo.net/PlusOne/dbbackup/releases/latest

# Or pull latest Docker image
docker pull git.uuxo.net/PlusOne/dbbackup:latest

Contact

Security Issues: security@uuxo.net
General Issues: https://git.uuxo.net/PlusOne/dbbackup/issues
Repository: https://git.uuxo.net/PlusOne/dbbackup

We take security seriously and appreciate responsible disclosure. 🔒

Thank you for helping keep dbbackup and its users safe!

There aren’t any published security advisories