Documentation Index > Security
Report Vulnerabilities: GitHub Security Advisories
We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of chronicon seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please use GitHub Security Advisories:
- Navigate to: https://github.com/19-84/chronicon/security/advisories/new
- Or click the "Security" tab on the repository page
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
This information will help us triage your report more quickly.
When using chronicon, we recommend following these security best practices:
- Only archive forums from trusted sources
- Verify forum URLs before archiving
- Be cautious when archiving user-generated content from unknown forums
- Archive outputs are created with default file permissions
- Ensure your output directory has appropriate permissions
- Be mindful of sensitive content when sharing archives
- Respect forum rate limits and terms of service
- Use the
--rate-limitflag appropriately - Some forums may block automated access
- Archives contain user-generated content including usernames
- Be aware of privacy implications when publishing archives
- Consider GDPR and similar regulations if sharing archives publicly
- Keep chronicon up to date
- Regularly check for security updates:
uv pip list --outdated - Review dependency security advisories
- Use HTTPS URLs for forums when possible
- Be cautious when archiving forums over untrusted networks
- Consider using a VPN if archiving sensitive forums
Archives contain user-generated HTML content. While we process and sanitize content during export:
- HTML exports preserve post formatting
- Images are downloaded from external sources
- Links in posts may point to external resources
SQLite database files contain all archived content:
- Protect database files with appropriate permissions
- Database files are not encrypted
- Consider encrypting sensitive archives at rest
When downloading images and assets:
- Files are downloaded from URLs in post content
- No size limits are enforced by default
- Malicious actors could reference very large files
- Security vulnerabilities are assessed for severity
- Patches are developed and tested
- Security advisories are published
- Fixed versions are released
- Users are notified through GitHub releases
- We follow a coordinated disclosure process
- Security researchers are given credit for findings (if desired)
- We aim to fix critical vulnerabilities within 7 days
- Public disclosure occurs after patch release
For security-related questions that are not vulnerabilities, you can:
- Open a GitHub Discussion
- Contact maintainers via GitHub
Thank you for helping keep chronicon and its users safe!
See Also:
- examples/docker/SECURITY.md - Docker security hardening
- TROUBLESHOOTING.md - Security-related troubleshooting
- FAQ.md - Security FAQs
Return to: Documentation Index