halbebruno/cloudflare_ddns
1
0
Fork 0
mirror of https://github.com/timothymiller/cloudflare-ddns.git synced 2026-03-21 14:38:56 -03:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
cloudflare_ddns/SECURITY.md
Timothy Miller 8c7af02698 Revise SECURITY.md with version support and reporting updates 
Updated the security policy to include new version support details and improved reporting guidelines for vulnerabilities.
2026-03-19 23:34:45 -04:00

3.8 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

Version Supported
2.0.x
< 2.0

Only the latest release in the 2.0.x series receives security updates. The legacy Python codebase and all 1.x releases are end-of-life and will not be patched. Users on older versions should upgrade to the latest release immediately.

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Instead, report vulnerabilities privately using one of the following methods:

  1. GitHub Private Vulnerability Reporting — Use the Security Advisories page to submit a private report directly on GitHub.
  2. Email — Contact the maintainer directly at the email address listed on the GitHub profile.

What to Include

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce or a proof-of-concept
  • Affected version(s)
  • Any suggested fix or mitigation, if applicable

What to Expect

  • Acknowledgment within 72 hours of your report
  • Status updates at least every 7 days while the issue is being investigated
  • A coordinated disclosure timeline — we aim to release a fix within 30 days of a confirmed vulnerability, and will credit reporters (unless anonymity is preferred) in the release notes

If a report is declined (e.g., out of scope or not reproducible), you will receive an explanation.

Security Considerations

This project handles Cloudflare API tokens that grant DNS editing privileges. Users should be aware of the following:

API Token Handling

  • Never commit your API token to version control or include it in Docker images.
  • Use CLOUDFLARE_API_TOKEN_FILE or Docker secrets to inject tokens at runtime rather than passing them as plain environment variables where possible.
  • Create a scoped API token with only "Edit DNS" permission on the specific zones you need — avoid using Global API Keys.

Container Security

  • The Docker image runs as a static binary from scratch with zero runtime dependencies, which minimizes the attack surface.
  • Use security_opt: no-new-privileges:true in Docker Compose deployments.
  • Pin image tags to a specific version (e.g., timothyjmiller/cloudflare-ddns:v2.0.8) rather than using latest in production.

Network Security

  • The default IP detection provider (cloudflare.trace) communicates directly with Cloudflare's infrastructure over HTTPS and does not log your IP.
  • All Cloudflare API calls are made over HTTPS/TLS.
  • --network host mode is required for IPv6 detection — be aware this gives the container access to the host's full network stack.

Supply Chain

  • The project is built with cargo and all dependencies are declared in Cargo.lock for reproducible builds.
  • Docker images are built via GitHub Actions and published to Docker Hub. Multi-arch builds cover linux/amd64, linux/arm64, and linux/ppc64le.

Scope

The following are considered in scope for security reports:

  • Authentication or authorization flaws (e.g., token leakage, insufficient credential protection)
  • Injection vulnerabilities in configuration parsing
  • Vulnerabilities in DNS record handling that could lead to record hijacking or poisoning
  • Dependency vulnerabilities with a demonstrable exploit path
  • Container escape or privilege escalation

The following are out of scope:

  • Denial of service against the user's own instance
  • Vulnerabilities in Cloudflare's API or infrastructure (report those to Cloudflare)
  • Social engineering attacks
  • Issues requiring physical access to the host machine
Reference in New Issue View Git Blame Copy Permalink