Report security issues via GitHub's private vulnerability reporting:
Do not open a public issue for security vulnerabilities.
I aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for critical issues.
CloudDump handles sensitive credentials (AWS keys, database passwords, API tokens). The following are in scope:
- Credential leakage in logs, emails, or process arguments
- Path traversal in backup destinations
- Command injection via configuration values
- Container escape or privilege escalation
- Redaction bypasses
These are by design and not considered vulnerabilities:
- Credentials in config file — All credentials (database passwords,
API tokens, AWS keys) live in the JSON config file. CloudDump just reads
a file — it does not care how that file is populated. You can use
Kubernetes Secrets, Docker secrets, Vault agent injection, or any
mechanism that produces a file at
/config/config.json. Mount it read-only. - AWS CLI v1 is used (Debian 12 apt). v2 is not available via apt for this release.
- Database credentials are passed via environment variables to pg_dump/mysqldump. This is standard practice for these tools.
- GitHub token is written to a temporary file (deleted after use)
because
github-backupdoes not support environment variables. - The container requires write access to
/backup. Use appropriate volume permissions in your orchestrator.