|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +| Version | Supported | |
| 6 | +| ------- | --------- | |
| 7 | +| 0.4.x | Yes | |
| 8 | +| < 0.4 | No | |
| 9 | + |
| 10 | +## Reporting a Vulnerability |
| 11 | + |
| 12 | +If you discover a security vulnerability in NetDriver, **please do not open a public GitHub issue**. |
| 13 | + |
| 14 | +Instead, report it via one of the following channels: |
| 15 | + |
| 16 | +- **Email**: Send details to the maintainers at the addresses listed in `pyproject.toml` |
| 17 | +- **GitHub Private Advisory**: Use [GitHub Security Advisories](https://github.com/features/security-advisories) on this repository |
| 18 | + |
| 19 | +Please include the following in your report: |
| 20 | + |
| 21 | +- A description of the vulnerability and its potential impact |
| 22 | +- Steps to reproduce the issue |
| 23 | +- Affected versions |
| 24 | +- Any suggested mitigations or patches (if available) |
| 25 | + |
| 26 | +We aim to acknowledge receipt within **3 business days** and provide an initial assessment within **7 business days**. |
| 27 | + |
| 28 | +## Security Considerations |
| 29 | + |
| 30 | +NetDriver interacts with network devices over SSH and exposes a REST API. When deploying this project, consider the following: |
| 31 | + |
| 32 | +### Credentials and Secrets |
| 33 | + |
| 34 | +- Device credentials (username/password) are passed via API requests. Use TLS/HTTPS in all deployments to prevent credential exposure in transit. |
| 35 | +- Do not log credentials. The agent configuration should be reviewed to ensure no sensitive fields appear in log output. |
| 36 | +- Rotate device credentials regularly and restrict API access to trusted clients. |
| 37 | + |
| 38 | +### API Authentication |
| 39 | + |
| 40 | +- The agent HTTP API does **not** include built-in authentication. Deploy it behind an API gateway, reverse proxy, or firewall that enforces authentication and authorization appropriate for your environment. |
| 41 | +- Restrict network access to the agent port (default: 8000) to trusted hosts only. |
| 42 | + |
| 43 | +### SSH Host Verification |
| 44 | + |
| 45 | +- By default, AsyncSSH may be configured to skip host key verification for convenience. In production, enable strict host key checking to prevent man-in-the-middle attacks. |
| 46 | + |
| 47 | +### Plugin Code Execution |
| 48 | + |
| 49 | +- Plugins are loaded dynamically from the `components/netdriver/plugins/` directory at startup. Ensure that only trusted code is present in the plugin directories and that the deployment environment has appropriate file system permissions. |
| 50 | + |
| 51 | +### Simulated Devices (simunet) |
| 52 | + |
| 53 | +- The `simunet` SSH server is intended for **testing purposes only**. Do not expose it on public networks or use it in production environments. |
| 54 | + |
| 55 | +## Disclosure Policy |
| 56 | + |
| 57 | +We follow a coordinated disclosure process. Once a fix is available, we will: |
| 58 | + |
| 59 | +1. Release a patched version |
| 60 | +2. Publish a security advisory describing the vulnerability, its impact, and the fix |
| 61 | +3. Credit the reporter (unless they prefer to remain anonymous) |
0 commit comments