The following versions of vox-md are currently supported with security updates:

We recommend using the latest version from the repository to ensure you have the most recent security fixes and improvements.

If you discover a security vulnerability in vox-md, we appreciate your help in disclosing it responsibly. Please follow these steps:

1. Do Not Disclose Publicly: Avoid sharing details of the vulnerability in public forums, such as GitHub issues, social media, or other platforms, until it has been addressed.
2. Contact the Maintainer Privately:
   • Create a private issue or discussion on the GitHub repository.
   • Include a detailed description of the vulnerability, steps to reproduce, and potential impact.
3. Response Time:
   • You can expect an initial response within 48 hours.
   • We will work with you to validate and address the issue promptly.
4. Disclosure:
   • Once the vulnerability is fixed, we will coordinate with you on public disclosure, if appropriate.
   • Credit will be given for your discovery in release notes, unless you prefer anonymity.

To keep your use of vox-md secure:

• Use Trusted Sources: Download or clone the project only from the official GitHub repository.
• Secure Dependencies: Regularly update Rust dependencies via cargo update and ensure wkhtmltopdf is from a trusted source (e.g., official downloads or package managers).
• Input Validation: vox-md validates input files (.md extension), but avoid processing untrusted Markdown files to prevent potential issues with wkhtmltopdf rendering.
• Template Security: Use trusted HTML templates in templates/. Avoid including executable code (e.g., JavaScript) in templates, as wkhtmltopdf may process it.
• File System Access: vox-md writes to user-specified output paths. Ensure output directories are writable and secure to prevent unauthorized access.
• Run in Trusted Environments: Execute vox-md in secure environments to avoid exposing sensitive data in Markdown files or templates.

vox-md relies on the following third-party dependencies, which may have their own security policies:

• Rust Libraries (via Cargo):
  • pulldown-cmark: Markdown parsing.
  • wkhtmltopdf: PDF generation.
  • structopt: CLI argument parsing.
• External Tool:
  • wkhtmltopdf: Installed separately for PDF rendering.

Check the respective project pages for security advisories and ensure you’re using the versions specified in Cargo.toml or their latest secure releases. For wkhtmltopdf, use version 0.12.6 or higher from wkhtmltopdf.org.

Thank you for helping keep vox-md secure!