Skip to content

Security: erichs/dashlights

Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Thank you for helping to keep Dashlights and its users secure! We appreciate your efforts to responsibly disclose any security vulnerabilities you discover.

Public Disclosure via GitHub Issues

For most security vulnerabilities, we encourage public disclosure via GitHub Issues. This is an open source project maintained by volunteers, and we do not offer bug bounties or financial rewards for vulnerability reports.

Public disclosure helps:

  • Alert all users to potential security issues quickly
  • Enable community collaboration on fixes
  • Maintain transparency in the security process

When creating an issue, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity assessment
  • Any suggested fixes or mitigations (if available)

Private Disclosure Option

If you have concerns about posting sensitive security details publicly (e.g., an actively exploited zero-day vulnerability), you may email the maintainer privately.

To find the maintainer's email address:

  1. Visit the maintainer's GitHub profile
  2. The email address is listed in the public profile information

Please use a descriptive subject line such as: [SECURITY] Vulnerability Report: <brief description>

GPG Encryption (Optional)

For users who wish to encrypt their security reports, you may use the maintainer's GPG public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGks6sMBEACsTlUQ/A0sKNuERcfZ9W258vLWraEwy9mgdW5r17wuWqGIQOs2
9esRMmJ/z+9i4qO4goA5oxG/pL5TLcjFacajdEFfTGu6NRpzECGRYg/xaz+bGR00
SEVB+35z/lbx0/ryvdrAFYatEL7rvz+d/YyZTCcBCCadrA1q7kPddLQjz7GybvGp
9YFk6EefRmw6UDd8a5qyF8EmWTY358P9hZqfNyL1/Erpmnj1HQ7uR9ZKXcRVYfOD
lJhsAaXq4svr9NG3ROwuBo6mtfwHRRXdTo9cLTdVNdmyArSYwh/6IDAKxCnE/5ex
u6hJqODI0xQaxmvMFlknLcbIN8V5489RnMa0TJy6vsNkouORslyViCPPN+1ePnLa
4emkcmCWcE5ZHn1p7NijGyIvMhqM7uffqCg5A/eGu4PRjTNUGEYyrVbUKaGwAUio
LSu+t95FBQ/9+BOJzk3R5YqJGPoR5JLB/NaO0YxdWmepeTGwYc6yDLrmCW0Z7Szf
vpAHZ7Gm7iBEP6BOo5LYfaOTNhqCIlsWRRQQyjfh2dx1AKMbQj9zQnxFhl9/7vqo
UXqoUoj3LmfcSxQWk6J+B8zP1x5E9MOcg8AglsqXi5GO/zET/tXMRUdjU0uSuotT
iHLAB6bWdRW/YBs9eFmWSjBNVLAHzxRLfYJbtsIpudJrXlpwB2MQ7StoTQARAQAB
tCJFcmljaCBTbWl0aCA8aGVhcnRxdWVzdEBnbWFpbC5jb20+iQJUBBMBCAA+FiEE
OJya7t53WKiaMgnNFBfSzYTRNuoFAmks6sMCGwMFCQeGH0YFCwkIBwIGFQoJCAsC
BBYCAwECHgECF4AACgkQFBfSzYTRNuoTGhAAi8QiEREKFpgEdH6byCU3jCbDot5j
inb3WZSEzmX+u48PqWQvuuT4WaWGHJv5sOZ4gHAucTjPR5ELLnRExnRVqSh0xlJu
2uKxdQJkRxmYWNTxEIsCm7yyXZhw8mlG0UNK2HJlQlRFoLednVbtCpxioonFES0d
puvL1R9HVmxFsMmDWopGE3+Q3qmaSFwTQYBOqcOWakLUdkTlxAkecj0dg9erOlRo
FeSI7C7CVB29UGv7f08AEg6QSdRmlQ0J4wSLdXVY1hLHixViNm6q63AUstKYneZb
4Xl1wGzqirE35Nc0MoI8/lwhJ4KynpzL4xi2DyxyYZyI7pkBXeBemDLQLL2j+1sh
TUJIuABDHnb9GIknlrYXZYtFGwl2smga7ZFwui6raSQU02M740dBQ7uhIhuxJsxw
uz+p//uiB72veOXC5oYCZH3+qNYopOu7OxwMHxzDhMQFX8yP9bA8b9TkW9pF5oR5
S/mnCiHJXwjnsCFNq64mtHsRGoCERu9uz3GRO9yZTqeLxFZeCHGeUO8v13Aj74vF
vI4xXA/GKDngvvcwOP4NfGxyj6Q4LVRnvB0rWKmqm3vwv8B7fndBImSTDxtC53gU
L2z2xkhyG9VNBsfcSFBFF0lQIceMojRanw2L7VzzkNkucaM+QNY4TTtoDFXbbXuP
Ts6Lf+iL9SUz/Te5Ag0EaSzqwwEQALWYYxi2KaxIkcbPur9Zzyz+R8Q7qhcOJ3pK
wileDOn35bM7z5t44g0H9zdXeEmAUErZP7w8QbKheknU31Tth7AxtFFMACjQbNYR
c1c5AiBsi3wZpsCAy/SOwljvrolCDh15MzrxTTWA0LuqOiet4mlvP167WmroiTIC
OZvRVpChgwDEvXGtYJi8IdsyUq3r6VIY9/GyHC5SXDYVldPl1Xht8Nnntc/y+9s7
jcKmHlcgmeSnvLPOvNoyBhNzJ3r9Ivnbhnwxc74/u+PSzGUcZxmzxDlDzP5oc7u7
XjvYk55Ihqt3BoGnRF7QcZR276P9A7RKM7geNlGUSHn0JdWIoH3H+erRkEL5gQWx
9Olbl7jUSp0pKw44I4iG/wCCaBABqqWVae8r9RnvfwaLrJXCqjtVt0nbvNHnaj9/
R/aPvXwlxYyyP2LzuPWSnYRVdRzhodYctbrKr3XND3j4Fpmxu31xcfQG6fmBMJfe
k2U5pxmRAeBP0g5YMeisEZBpPF2JRcwi/iw8ykugmVT6Y25XVrg4qUAVcS0wxoGM
gROzy7OGLffsinI6RdIqqJjgSNo3/9aoAB5xWxWPP74VdD4jbRebJH9JaO854O0e
Ghxls53bV7tc2qOcK9JBnZyOu9zKi+Kfx8OvjIVSm44xShpLrn2Yr0x+PGA6l4TB
IlRlLcvBABEBAAGJAjwEGAEIACYWIQQ4nJru3ndYqJoyCc0UF9LNhNE26gUCaSzq
wwIbDAUJB4YfRgAKCRAUF9LNhNE26hdfD/9kc0L3tWPhtfLZRpO3SatPErmXq6SM
WJpL1QYxkDD5kHa0C38pVPYm9cANpIdRtue9A+aWIAdLSehIXRFYOY19k/UGPHMh
Cjq913iklsvc0WhX77Tf1tr9OornCGApJPi20EzdrHI4EnkIdlG6wyGd7R52Hl3T
Tpv1Gu8NB3fuXkiMj2PpGTyDV8Sqn4txd+GOQHDChqAsubPsuDJi7dj/L5FLrwug
tR+jUjzTRMSWIfNGGS/XSWkcrB5OkIp2z7nHJpCXGo/9OCK3JPY5r1mD20jDJLIJ
J4fXBoNbtCJPBbjXdWyZzaPQtTCQOSjR8Y4RQJwdPicMUA6uNzXx4GX4KNEUUUAB
ndu6DGrLoJ/7HmwP52/0TgOxYP0nyUVj+7uyayR9rmzSXpkJO14dX7Etv2jDEOtC
IRf0n+e8OLHFeLFlSVtGKksdNlb/1F/Tba1s3AAeb5R9R8AD0aHlSvBWlLYg3X78
G/OZCiXZcnFp0W4Z73/Aubl74adT1baxT1Bxdv8q2rKW9zkxH/1BaB0D5QAoF7oj
uQZs02Zfy4iWjzcOYkc3tu52pczGHj9JHFnfoGjQ8B6RKNKIbYMvEf7TRC+VdAr4
pXZQaGEZUQqIGthSFCAsD4uz96PV/nEahfwkyQekTPnnLcfLPqJw8hGuY4Mirbw/
ZbgXOgtvpOR8Kg==
=kXhJ
-----END PGP PUBLIC KEY BLOCK-----

To encrypt a message using this key:

# Save the above public key to a file (e.g., erichs.gpg.pub.asc)

# Import the public key
gpg --import erichs.gpg.pub.asc

# Encrypt your message
gpg --encrypt --armor --recipient <maintainer's email> your-report.txt

# Send the encrypted output via email

Security Architecture

Application Security Boundaries

Dashlights operates within strict security boundaries:

ALLOWED:

  • Read local files (config files, .git, /proc)
  • Read environment variables
  • Unix socket IPC (SSH agent only)
  • Write to stdout/stderr

FORBIDDEN:

  • HTTP/HTTPS requests
  • TCP/UDP network connections
  • DNS resolution
  • Email sending
  • Telemetry/analytics
  • Writing to files (except stdout/stderr)

These boundaries are enforced by:

  1. Static analysis — Tests verify forbidden packages (net/http, net/rpc, net/smtp) are never imported
  2. Dependency scanning — Tests verify no telemetry packages exist in the dependency tree

CI/CD Hardening

The build pipeline is hardened against supply chain attacks:

  • Network isolation — All tests run in Docker with --network=none, removing the network stack entirely
  • Minimal permissions — CI workflows use contents: read only

This means even if malicious code were injected via a dependency, it cannot:

  • Phone home to a C2 server
  • Exfiltrate secrets via HTTP, DNS, or raw sockets
  • Upload data anywhere

All network operations fail with "network is unreachable" at the kernel level.

Response Timeline

As this is a volunteer-maintained open source project, response times may vary. We will make our best effort to:

  • Acknowledge receipt of your report within 7 days
  • Provide an initial assessment within 14 days
  • Work on a fix and coordinate disclosure timing with you

Scope

This security policy applies to:

  • The Dashlights binary and source code
  • Official release artifacts published via GitHub Releases
  • Documentation that could lead to security misconfigurations

Out of Scope

The following are generally considered out of scope:

  • Vulnerabilities in third-party dependencies (please report these to the respective maintainers)
  • Social engineering attacks
  • Physical attacks
  • Denial of service attacks against the CLI tool itself

Security Best Practices

When using Dashlights:

  • Always download releases from the official GitHub repository
  • Verify checksums of downloaded binaries when available
  • Keep your installation up to date with the latest releases
  • Review the source code if you have security concerns

Recognition

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities in our release notes (unless you prefer to remain anonymous).

Thank you for helping keep Dashlights secure! 🔒

There aren’t any published security advisories