Bump rustls-webpki from 0.103.9 to 0.103.10

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.9 to 0.103.10. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Revise SECURITY.md with version support and reporting updates
2026-03-21 22:48:57 -03:00 · 2026-03-21 09:41:42 +00:00 · 2026-03-19 23:34:45 -04:00 · 2026-03-19 23:30:56 -04:00
3 changed files with 82 additions and 2 deletions
--- a/.github/workflows/image.yml
+++ b/.github/workflows/image.yml
@@ -9,6 +9,8 @@ on:

 jobs:
  build:
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1046,9 +1046,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
 "ring",
 "rustls-pki-types",
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,78 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.0.x   | :white_check_mark: |
+| < 2.0   | :x:                |
+
+Only the latest release in the `2.0.x` series receives security updates. The legacy Python codebase and all `1.x` releases are **end-of-life** and will not be patched. Users on older versions should upgrade to the latest release immediately.
+
+## Reporting a Vulnerability
+
+**Please do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, report vulnerabilities privately using one of the following methods:
+
+1. **GitHub Private Vulnerability Reporting** — Use the [Security Advisories](https://github.com/timothymiller/cloudflare-ddns/security/advisories/new) page to submit a private report directly on GitHub.
+2. **Email** — Contact the maintainer directly at the email address listed on the [GitHub profile](https://github.com/timothymiller).
+
+### What to Include
+
+- A clear description of the vulnerability and its potential impact
+- Steps to reproduce or a proof-of-concept
+- Affected version(s)
+- Any suggested fix or mitigation, if applicable
+
+### What to Expect
+
+- **Acknowledgment** within 72 hours of your report
+- **Status updates** at least every 7 days while the issue is being investigated
+- A coordinated disclosure timeline — we aim to release a fix within 30 days of a confirmed vulnerability, and will credit reporters (unless anonymity is preferred) in the release notes
+
+If a report is declined (e.g., out of scope or not reproducible), you will receive an explanation.
+
+## Security Considerations
+
+This project handles **Cloudflare API tokens** that grant DNS editing privileges. Users should be aware of the following:
+
+### API Token Handling
+
+- **Never commit your API token** to version control or include it in Docker images.
+- Use `CLOUDFLARE_API_TOKEN_FILE` or Docker secrets to inject tokens at runtime rather than passing them as plain environment variables where possible.
+- Create a **scoped API token** with only "Edit DNS" permission on the specific zones you need — avoid using Global API Keys.
+
+### Container Security
+
+- The Docker image runs as a **static binary from scratch** with zero runtime dependencies, which minimizes the attack surface.
+- Use `security_opt: no-new-privileges:true` in Docker Compose deployments.
+- Pin image tags to a specific version (e.g., `timothyjmiller/cloudflare-ddns:v2.0.8`) rather than using `latest` in production.
+
+### Network Security
+
+- The default IP detection provider (`cloudflare.trace`) communicates directly with Cloudflare's infrastructure over HTTPS and does not log your IP.
+- All Cloudflare API calls are made over HTTPS/TLS.
+- `--network host` mode is required for IPv6 detection — be aware this gives the container access to the host's full network stack.
+
+### Supply Chain
+
+- The project is built with `cargo` and all dependencies are declared in `Cargo.lock` for reproducible builds.
+- Docker images are built via GitHub Actions and published to Docker Hub. Multi-arch builds cover `linux/amd64`, `linux/arm64`, and `linux/ppc64le`.
+
+## Scope
+
+The following are considered **in scope** for security reports:
+
+- Authentication or authorization flaws (e.g., token leakage, insufficient credential protection)
+- Injection vulnerabilities in configuration parsing
+- Vulnerabilities in DNS record handling that could lead to record hijacking or poisoning
+- Dependency vulnerabilities with a demonstrable exploit path
+- Container escape or privilege escalation
+
+The following are **out of scope**:
+
+- Denial of service against the user's own instance
+- Vulnerabilities in Cloudflare's API or infrastructure (report those to [Cloudflare](https://hackerone.com/cloudflare))
+- Social engineering attacks
+- Issues requiring physical access to the host machine