|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +| Version | Supported | |
| 6 | +| ------- | ------------------ | |
| 7 | +| 2.0.x | :white_check_mark: | |
| 8 | +| < 2.0 | :x: | |
| 9 | + |
| 10 | +Only the latest release in the `2.0.x` series receives security updates. The legacy Python codebase and all `1.x` releases are **end-of-life** and will not be patched. Users on older versions should upgrade to the latest release immediately. |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +**Please do not open a public GitHub issue for security vulnerabilities.** |
| 15 | + |
| 16 | +Instead, report vulnerabilities privately using one of the following methods: |
| 17 | + |
| 18 | +1. **GitHub Private Vulnerability Reporting** — Use the [Security Advisories](https://github.com/timothymiller/cloudflare-ddns/security/advisories/new) page to submit a private report directly on GitHub. |
| 19 | +2. **Email** — Contact the maintainer directly at the email address listed on the [GitHub profile](https://github.com/timothymiller). |
| 20 | + |
| 21 | +### What to Include |
| 22 | + |
| 23 | +- A clear description of the vulnerability and its potential impact |
| 24 | +- Steps to reproduce or a proof-of-concept |
| 25 | +- Affected version(s) |
| 26 | +- Any suggested fix or mitigation, if applicable |
| 27 | + |
| 28 | +### What to Expect |
| 29 | + |
| 30 | +- **Acknowledgment** within 72 hours of your report |
| 31 | +- **Status updates** at least every 7 days while the issue is being investigated |
| 32 | +- A coordinated disclosure timeline — we aim to release a fix within 30 days of a confirmed vulnerability, and will credit reporters (unless anonymity is preferred) in the release notes |
| 33 | + |
| 34 | +If a report is declined (e.g., out of scope or not reproducible), you will receive an explanation. |
| 35 | + |
| 36 | +## Security Considerations |
| 37 | + |
| 38 | +This project handles **Cloudflare API tokens** that grant DNS editing privileges. Users should be aware of the following: |
| 39 | + |
| 40 | +### API Token Handling |
| 41 | + |
| 42 | +- **Never commit your API token** to version control or include it in Docker images. |
| 43 | +- Use `CLOUDFLARE_API_TOKEN_FILE` or Docker secrets to inject tokens at runtime rather than passing them as plain environment variables where possible. |
| 44 | +- Create a **scoped API token** with only "Edit DNS" permission on the specific zones you need — avoid using Global API Keys. |
| 45 | + |
| 46 | +### Container Security |
| 47 | + |
| 48 | +- The Docker image runs as a **static binary from scratch** with zero runtime dependencies, which minimizes the attack surface. |
| 49 | +- Use `security_opt: no-new-privileges:true` in Docker Compose deployments. |
| 50 | +- Pin image tags to a specific version (e.g., `timothyjmiller/cloudflare-ddns:v2.0.8`) rather than using `latest` in production. |
| 51 | + |
| 52 | +### Network Security |
| 53 | + |
| 54 | +- The default IP detection provider (`cloudflare.trace`) communicates directly with Cloudflare's infrastructure over HTTPS and does not log your IP. |
| 55 | +- All Cloudflare API calls are made over HTTPS/TLS. |
| 56 | +- `--network host` mode is required for IPv6 detection — be aware this gives the container access to the host's full network stack. |
| 57 | + |
| 58 | +### Supply Chain |
| 59 | + |
| 60 | +- The project is built with `cargo` and all dependencies are declared in `Cargo.lock` for reproducible builds. |
| 61 | +- Docker images are built via GitHub Actions and published to Docker Hub. Multi-arch builds cover `linux/amd64`, `linux/arm64`, and `linux/ppc64le`. |
| 62 | + |
| 63 | +## Scope |
| 64 | + |
| 65 | +The following are considered **in scope** for security reports: |
| 66 | + |
| 67 | +- Authentication or authorization flaws (e.g., token leakage, insufficient credential protection) |
| 68 | +- Injection vulnerabilities in configuration parsing |
| 69 | +- Vulnerabilities in DNS record handling that could lead to record hijacking or poisoning |
| 70 | +- Dependency vulnerabilities with a demonstrable exploit path |
| 71 | +- Container escape or privilege escalation |
| 72 | + |
| 73 | +The following are **out of scope**: |
| 74 | + |
| 75 | +- Denial of service against the user's own instance |
| 76 | +- Vulnerabilities in Cloudflare's API or infrastructure (report those to [Cloudflare](https://hackerone.com/cloudflare)) |
| 77 | +- Social engineering attacks |
| 78 | +- Issues requiring physical access to the host machine |
0 commit comments