Keeping dbterd safe and secure for everyone
We take the security of dbterd seriously and appreciate your help in keeping our community safe.
- π Security Policy
We maintain security updates only for the latest version of dbterd:
| Version | Support Status | Security Updates | Notes |
|---|---|---|---|
| Latest | β Fully Supported | β Active | Current stable release |
| All Previous | β Not Supported | β None | Please upgrade to latest |
Important
Security Policy: Only the latest version receives security updates. Please upgrade to the newest release for security patches and bug fixes.
We appreciate responsible disclosure of security vulnerabilities. Your efforts help keep the dbterd community safe.
The most secure way to report vulnerabilities is through GitHub's private vulnerability reporting system:
- Navigate to: Report Security Vulnerability
- Use Title Format:
[SECURITY] Brief description of the issue - Fill out all required fields with detailed information
- Submit - Only maintainers will have access to your report
If GitHub's private reporting is unavailable:
- Security Advisory: Create New Advisory
- Direct Contact: Reach out to maintainers through secure channels
To help us address the vulnerability quickly, please include:
Required Information:
- Vulnerability Type: (e.g., injection, authentication bypass, data exposure)
- Affected Components: Specific modules, functions, or endpoints
- Attack Vector: How the vulnerability can be exploited
- Impact Assessment: Potential consequences of exploitation
- Affected Versions: Which versions are vulnerable
Helpful Additions:
- Proof of Concept: Step-by-step reproduction steps
- Suggested Fix: If you have ideas for remediation
- CVSS Score: If you've calculated one
- References: Related CVEs or security advisories
We are committed to responding promptly to security reports:
| Timeline | Action |
|---|---|
| 24 hours | Initial acknowledgment of your report |
| 72 hours | Preliminary assessment and triage |
| 7 days | Detailed analysis and response plan |
| 30 days | Resolution target for most vulnerabilities |
Note
Complex vulnerabilities may require additional time. We'll keep you informed throughout the process.
Response Process:
- Acknowledge receipt of your report
- Validate and reproduce the vulnerability
- Assess impact and severity
- Develop and test patches
- Coordinate disclosure timeline
- Release security updates
- Publish security advisory (if applicable)
Installation & Updates:
- β
Always install from official sources (PyPI:
pip install dbterd) - β Keep dbterd updated to the latest version
- β
Regularly update dependencies:
pip install dbt-artifacts-parser --upgrade - β Use virtual environments to isolate dependencies
Configuration Security:
- π Never commit credentials or API keys to version control
- π Use environment variables for sensitive configuration
- π Implement proper access controls for dbt artifact files
- π Review generated ERDs before sharing publicly
Runtime Security:
- π‘οΈ Run dbterd in secure, isolated environments
- π‘οΈ Limit file system access permissions
- π‘οΈ Monitor for unusual activity or errors
- π‘οΈ Validate input files before processing
Development Security:
- π Follow secure coding practices
- π Never commit secrets, keys, or credentials
- π Use dependency scanning tools
- π Implement input validation and sanitization
- π Write security-focused tests
Code Review Requirements:
- π₯ All changes require security-aware code review
- π₯ Pay special attention to file I/O operations
- π₯ Validate any external dependencies
- π₯ Test with malformed/malicious inputs
We believe in recognizing those who help improve our security:
Hall of Fame - Security researchers who have responsibly disclosed vulnerabilities:
- Your name could be here! We appreciate responsible disclosure.
Recognition Process:
- Public acknowledgment in release notes
- Credit in security advisories
- Optional listing in this document
- Our heartfelt gratitude! π
Security Team:
- Primary Contact: @datnguye
- GitHub Security: Security Tab
- Community: Discussions
For Non-Security Issues:
- π Bug Reports
- π‘ Feature Requests
- π Documentation
π Security is a shared responsibility
Thank you for helping keep dbterd secure for everyone!
Last Updated: June 2024 | Policy Version: 2.0