Security Policy

Supported Versions

We release patches for security vulnerabilities in the following versions:

If you discover a security vulnerability in OctopusFTP, please report it privately to protect users.

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues via:

GitHub Security Advisories (Recommended):
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
GitHub Issues (for non-critical issues):
- Open a private issue at https://github.com/arnaultpascual/OctopusFTP/issues
- Mark it with the "security" label

Please include the following information in your report:

Note: OctopusFTP is maintained by a solo developer. While I take security seriously, please understand response times may vary:

Response time: I'll do my best to respond within a few days. This is a side project, so please be patient.
Fix timeline: Critical issues will be prioritized, but timelines depend on severity and complexity
Credit: You'll be credited in the security advisory (unless you prefer anonymity)
Updates: I'll keep you informed throughout the process

When using OctopusFTP:

Credentials: Never hardcode FTP credentials in scripts
Saved connections: Passwords in ~/.octopusftp/connections.json are stored in plain text - only use on trusted machines
SSL/TLS: Always use FTPS when connecting to servers over the internet
Updates: Keep OctopusFTP updated to the latest version
Source: Only download OctopusFTP from official sources (GitHub releases)

Plain text passwords: Saved connections store passwords in plain text in ~/.octopusftp/connections.json
- Mitigation: Only save passwords on secure, personal computers
- Future: Encrypted password storage is planned for a future version

Thank you for helping keep OctopusFTP secure!