| Version | Supported | End of Life |
|---|---|---|
| 2.x.x | ✅ | Active |
| 1.x.x | ❌ | 2024-01-01 |
| < 1.0 | ❌ | Not supported |
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to the maintainers (see MAINTAINERS.md)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Affected versions
- Suggested fix (if any)
| Severity | Acknowledgement | Status Update | Resolution Target |
|---|---|---|---|
| Critical | 24 hours | 48 hours | 7 days |
| High | 24 hours | 72 hours | 14 days |
| Medium | 48 hours | 7 days | 30 days |
| Low | 72 hours | 14 days | 90 days |
Severity Definitions:
- Critical: Remote code execution, data breach, authentication bypass
- High: Privilege escalation, significant data exposure
- Medium: Information disclosure, CSRF
- Low: Minor information leakage, best practice violations
- Local Storage: All data stored locally using CubDB (no cloud)
- Encryption: XChaCha20-Poly1305 for sensitive data (optional)
- Password Hashing: Argon2id for any authentication
- No Telemetry: No data sent to external servers
- Student submissions processed locally only
- No submission data leaves the tutor's machine
- Temporary files cleaned up after processing
- Default: Localhost-only web interface
- No external network calls required
- Optional: Post-quantum key exchange (Kyber)
- Elixir/BEAM fault tolerance
- No native code dependencies (pure Elixir where possible)
- WASM sandbox for plugins
- Dependencies audited regularly
- Keep Updated: Use the latest version
- File Permissions: Protect data directory
- Network: Keep on localhost unless needed
- Backups: Enable automatic backups
- Passwords: Use strong passwords if auth enabled
- Report received and acknowledged
- Vulnerability verified and assessed
- Fix developed and tested
- Patch released with advisory
- Public disclosure after patch
Last updated: 2024-12-01