We take the security of ClamUI seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please report security vulnerabilities using GitHub Security Advisories.

This is the preferred method as it allows for:

• Private disclosure and discussion
• Coordinated vulnerability disclosure
• CVE assignment through GitHub
• Draft security advisories before public disclosure

If you prefer not to use GitHub Security Advisories, you can email security reports to:

clamui@rooki.xyz

Please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any suggested fixes (if available)

ClamUI is currently in early development. Security updates are provided for:

As the project matures, this policy will be updated to reflect long-term support commitments.

Please report any security vulnerabilities including but not limited to:

• Command Injection: Improper sanitization of paths or user input passed to shell commands
• Path Traversal: Ability to access files outside intended directories
• Privilege Escalation: Unauthorized elevation of permissions
• Information Disclosure: Exposure of sensitive data (API keys, scan results, system information)
• Arbitrary Code Execution: Ability to execute unauthorized code

• Denial of Service: Crashes or resource exhaustion
• Log Injection: Ability to inject malicious content into logs
• Symlink Attacks: Improper handling of symbolic links
• Race Conditions: Time-of-check to time-of-use vulnerabilities

• ClamAV command execution (src/core/scanner.py, src/core/daemon_scanner.py)
• Scheduled scan commands (src/core/scheduler.py)
• Flatpak host command execution (src/core/flatpak.py)
• Quarantine file handling (src/core/quarantine/)
• Input sanitization (src/core/sanitize.py, src/core/path_validation.py)
• API key storage (src/core/keyring_manager.py)

The following are not considered security vulnerabilities:

• ClamAV detection capabilities (report to ClamAV project)
• False positives/negatives from virus scans
• UI/UX issues without security impact
• Performance issues without DoS potential
• Issues requiring physical access to an unlocked system

1. Report Received: We aim to acknowledge receipt within 48 hours
2. Initial Assessment: We will assess the severity and impact within 7 days
3. Coordinated Disclosure: We will work with you to understand and fix the issue
4. Fix Development: We will develop and test a fix
5. Release: We will release a patched version
6. Public Disclosure: After users have had time to update (typically 7-14 days), we will publicly disclose the vulnerability

When using ClamUI:

• Keep Updated: Always use the latest version of ClamUI and ClamAV
• Limit Permissions: Run ClamUI with minimal necessary permissions
• Validate Sources: Only scan files from trusted sources when possible
• Secure API Keys: Use the built-in keyring storage for VirusTotal API keys
• Review Exclusions: Regularly audit exclusion patterns to ensure they're still needed
• Monitor Logs: Check scan logs for suspicious activity

ClamUI implements several security measures:

• Input Sanitization: All user input and file paths are sanitized before use
• Path Validation: Paths are validated to prevent directory traversal
• Symlink Safety: Symlinks are checked before following
• Command Escaping: Shell commands use shlex.quote() for safe execution
• Quarantine Integrity: SHA-256 verification for quarantined files
• Secure Storage: API keys stored in system keyring (GNOME Keyring, KWallet)
• Flatpak Sandboxing: Additional isolation when running as Flatpak

• Security Issues: GitHub Security Advisories or clamui@rooki.xyz
• General Issues: GitHub Issues
• Project: https://github.com/linx-systems/clamui

• OWASP Top 10
• ClamAV Security
• Python Security Best Practices