We actively maintain and provide security updates for the following versions of @pitzzahh/signaldb-adapter-tauri:
| Version | Supported | Notes |
|---|---|---|
| 2.1.x | ✅ | Latest stable, recommended |
| 2.0.x | Critical security fixes only | |
| 1.x.x | ❌ | No longer supported |
| < 1.0 | ❌ | No longer supported |
- v2.1.0+: Comprehensive security hardening with encryption enforcement, path traversal protection, and data validation
- v2.0.x: Basic filesystem operations with minimal security features
- v1.x.x: Legacy version with known security limitations
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly by following these guidelines:
- DO NOT create a public GitHub issue for security vulnerabilities
- Email us directly at: araopeterj@gmail.com
- Use the subject line:
[SECURITY] SignalDB Adapter Vulnerability Report - Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if any)
- Your contact information for follow-up
- Initial Response: Within 48 hours of your report
- Status Updates: Every 7 days until resolution
- Timeline:
- Critical vulnerabilities: Fixed within 7 days
- High severity: Fixed within 14 days
- Medium/Low severity: Fixed within 30 days
We classify vulnerabilities based on the actual attack surface of a local filesystem adapter:
- Complete bypass of encryption mechanisms
- Data corruption causing permanent data loss
- Arbitrary file write/read outside the intended application directory
- Path traversal vulnerabilities allowing access to sensitive system files
- Encryption key exposure or weak encryption implementation
- Race conditions leading to data corruption
- Information disclosure through error messages or logs
- Denial of service through resource exhaustion
- Backup/recovery mechanism failures
- Minor information leaks in debug output
- Non-critical crashes that don't affect data integrity
- Performance degradation with potential DoS implications
When using this adapter, follow these security recommendations:
// Always use encryption for sensitive data
const adapter = createTauriFileSystemAdapter('data.json', {
encrypt: yourEncryptFunction,
decrypt: yourDecryptFunction,
security: {
enforceEncryption: true, // Require encryption
allowPlaintextFallback: false // Disable fallback
}
});// Use safe filenames - avoid path traversal
// ✅ Good
createTauriFileSystemAdapter('users.json')
createTauriFileSystemAdapter('app-data.json')
// ❌ Avoid
createTauriFileSystemAdapter('../../../etc/passwd')
createTauriFileSystemAdapter('data\\..\\config.json')// Implement custom data validation
const adapter = createTauriFileSystemAdapter('data.json', {
security: {
validateDecryptedData: true,
dataValidator: (data): data is MyDataType[] => {
return Array.isArray(data) && data.every(isValidDataStructure);
}
}
});// Handle security errors appropriately
try {
await collection.insert(data);
} catch (error) {
if (error.message.includes('SECURITY')) {
// Log security incidents
console.error('Security violation:', error);
// Don't expose sensitive details to users
showUserMessage('Operation failed due to security policy');
}
}- All data is stored locally using Tauri's secure filesystem API
- Files are written atomically to prevent corruption
- Optional encryption protects data at rest
- Automatic backups prevent data loss
- Filename sanitization prevents path traversal attacks
- Invalid characters and sequences are rejected
- Relative path attempts are blocked
- No sensitive data persisted in memory longer than necessary
- Data cloning prevents unintended mutations
- Proper cleanup of temporary variables
We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged in our changelog and can request:
- Public recognition (unless you prefer to remain anonymous)
- Hall of fame mention in our documentation
- Coordination on disclosure timeline
- Technical discussion about the fix
For security-related questions or concerns:
- Email: araopeterj@gmail.com
- GitHub: @pitzzahh
For general questions, please use GitHub Issues.
This security policy is reviewed quarterly and updated as needed. Last updated: July 7, 2025