Security Practices - Ktiseos-Nyx/Dataset-Tools GitHub Wiki

Security Policy

At Ktiseos Nyx, we are committed to the security of Dataset-Tools. While the application is currently under active development and has not yet reached a stable release, we take security vulnerabilities seriously and aim to address them promptly and transparently. We greatly appreciate the community's assistance in identifying and reporting potential issues.

Development Status & Supported Versions

Dataset-Tools is in an early stage of development. As such, our primary focus for features, bug fixes, and security improvements is the main branch, which reflects the latest development state.

  • main Branch: This is the most up-to-date version and the recommended branch for users interested in the latest developments.
  • Older Numbered Branches (e.g., 0.51, 0.55): These branches may exist for historical reference or to mark previous development milestones. While we will make reasonable efforts to address critical security vulnerabilities if they are identified in these recent older branches, our resources are primarily dedicated to the main branch.
  • Unsupported Branches: Branches older than 0.51 (or as otherwise specified by the development team) are considered unsupported and will likely not receive security updates.

Important: We strongly advise against using pre-release versions (especially those prior to more stable point releases like 0.55 or a future 1.0) in production environments or with sensitive data. These early versions are primarily for testing, development feedback, and community evaluation.

Reporting a Vulnerability

If you discover a potential security vulnerability in Dataset-Tools, please report it to us privately to allow us time to investigate and address the issue before it becomes publicly known. This helps protect all users of the application.

How to Report:

  1. Preferred Method: GitHub Security Advisories

    • Navigate to the "Security" tab in the Dataset-Tools GitHub repository.
    • Click on "Advisories," then "New draft security advisory."
    • This creates a private communication channel between you and the project maintainers to discuss and remediate the vulnerability.
    • Please DO NOT open a regular public GitHub issue for security vulnerabilities.

  2. Alternative Method (if GitHub Security Advisories are not feasible):

    • Direct Message on Discord: Send a direct message (DM) to a project maintainer (e.g., duskfallcrew or other designated maintainers) on our official Dataset-Tools Discord server.
    • Please do not post vulnerability details in public channels on Discord.

What to Include in Your Vulnerability Report:

To help us understand and address the issue effectively, please include the following:

  • Clear Description: A detailed explanation of the vulnerability.
  • Affected Version(s): Specify which branch(es) or commit(s) of Dataset-Tools are affected.
  • Steps to Reproduce: Provide precise, step-by-step instructions to reproduce the vulnerability.
  • Potential Impact: Describe the potential consequences if the vulnerability were exploited (e.g., data exposure, denial of service, unauthorized access).
  • Proof-of-Concept (PoC): If possible, provide a safe PoC. This could be code, a sequence of actions, or a configuration that demonstrates the vulnerability. Ensure any PoC does not cause harm.
  • Suggested Mitigation (Optional): If you have ideas on how to fix the vulnerability, feel free to include them.

Our Commitment:

We will make a best effort to:

  • Acknowledge receipt of your report in a timely manner.
  • Investigate the reported vulnerability.
  • Keep you informed of our progress.
  • Address the vulnerability as quickly as possible, considering the project's independent and volunteer-driven nature and the severity of the issue.
  • Publicly credit you for your discovery upon fixing the vulnerability, unless you prefer to remain anonymous.

Our Security Practices

  • Dependency Management: We strive to keep our dependencies up-to-date and are exploring tools (such as GitHub's Dependabot) to help automate the monitoring of dependencies for known vulnerabilities.
  • Code Review: New contributions, especially those impacting core functionality or handling user data, will undergo review.
  • Secure Coding Principles: We aim to follow secure coding best practices relevant to Python and PyQt6 development.

Perfect security is an ongoing process, especially for an evolving project. We are dedicated to continuously improving our security posture and value the community's vigilance and collaboration in this effort.

This security policy is subject to change as the project evolves. Please refer to the latest version in the main branch.