We actively support the following versions of Xetrack with security updates:
| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| 0.3.x | ❌ |
| < 0.3 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Xetrack, please help us by reporting it responsibly.
Please do NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities by:
- Email: Send a detailed report to jonathan@xdss.io
- Subject Line: Include "XETRACK SECURITY" in the subject line
- Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (if you have them)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Investigation: We will investigate the issue and determine its severity
- Timeline: We aim to provide an initial assessment within 5 business days
- Resolution: For confirmed vulnerabilities, we will work on a fix and coordinate disclosure
Xetrack works with local database files (SQLite/DuckDB). Users should be aware of:
- File Permissions: Database files may contain sensitive experiment data
- Network Access: Xetrack is designed for local use and doesn't include network security features
- Asset Storage: Pickled objects in asset storage could potentially execute code when loaded
- Command Injection: Be cautious with user-provided SQL queries via the CLI
- File Access: CLI commands can read/write database files with user permissions
- Pickle Deserialization: Asset functionality uses cloudpickle, which can execute arbitrary code
- Dependencies: Keep dependencies updated to avoid known vulnerabilities
- Keep Updated: Always use the latest supported version
- File Permissions: Secure your database files with appropriate permissions
- Trusted Assets: Only load assets from trusted sources
- Environment: Use Xetrack in controlled environments for sensitive data
- No Network Components: Xetrack operates locally, reducing attack surface
- Optional Asset Loading: Asset functionality is optional and can be disabled
- Read-only Reader: The Reader class provides read-only access to data
We follow responsible disclosure practices:
- We will work with you to understand and validate the reported vulnerability
- We will develop and test a fix
- We will coordinate the timing of the public disclosure
- We will credit you for the discovery (unless you prefer to remain anonymous)
If you have questions about this security policy, please contact jonathan@xdss.io.
Thank you for helping keep Xetrack secure! 🔒