The PluresDB team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings.
If you discover a security vulnerability, please report it by:
- Do NOT open a public GitHub issue
- Email details to: security@plures.dev (or use GitHub's private vulnerability reporting feature)
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will provide regular updates on our progress
- Timeline: We aim to release a fix within 30 days for critical issues
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
We currently support security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
When using PluresDB, we recommend:
- Keep PluresDB Updated: Always use the latest stable version
- Secure Your Keys: Protect private keys used for P2P encryption
- Network Security: Use TLS/SSL for network communications in production
- Access Control: Implement proper access controls for your data
- Audit Logs: Enable and regularly review audit logs
- Data Encryption: Use encryption at rest for sensitive data
- PluresDB uses end-to-end encryption for P2P data sharing
- Peer authentication is based on public key infrastructure
- Always verify peer identities before sharing sensitive data
- Data is stored locally on your device
- Encryption at rest is available but must be explicitly enabled
- Ensure proper file system permissions on data directories
- The Web UI runs on localhost by default (port 34568)
- Do not expose the Web UI port to untrusted networks without proper authentication
- Use reverse proxy with authentication for remote access
Security updates will be announced through:
- GitHub Security Advisories
- Repository CHANGELOG.md
- GitHub Discussions (Security category)
For security-related questions that are not vulnerabilities, you can:
- Open a discussion in the Security category: https://github.com/plures/pluresdb/discussions
- Contact us via GitHub issues (for non-sensitive questions only)
Thank you for helping keep PluresDB and its users safe!