350fe17e87
- Document fixed security issues from 2026-03-25 audit - Track all 7 security issues and their fixes - Add reporting instructions
26 lines
1.0 KiB
Markdown
26 lines
1.0 KiB
Markdown
# Security Policy
|
|
|
|
## Security Audit (2026-03-25)
|
|
|
|
This document tracks security issues found during the 2026-03-25 audit.
|
|
|
|
## Fixed Issues
|
|
|
|
| Issue | Severity | Fixed Date | Fix |
|
|
|-------|----------|------------|-----|
|
|
| Telegram bot token in process command line | CRITICAL | 2026-03-25 | Switched to Python urlopen from curl subprocess |
|
|
| HTML injection in Telegram messages | HIGH | 2026-03-25 | Added escape_html() function |
|
|
| Insufficient --search URL encoding | MEDIUM | 2026-03-26 | Use urllib.parse.quote() |
|
|
| --detail bounds not validated | MEDIUM | 2026-03-26 | Error on out of range |
|
|
| No response size limits | MEDIUM | 2026-03-26 | MAX_RESPONSE_SIZE check |
|
|
| Bare except: clauses | LOW | 2026-03-26 | Catch specific exceptions |
|
|
| No API rate limiting | LOW | 2026-03-26 | TokenBucket rate limiter |
|
|
|
|
## Open Issues
|
|
|
|
All security issues from this audit have been addressed in subsequent releases.
|
|
|
|
## Reporting Security Issues
|
|
|
|
If you find a security vulnerability, please report it by opening an issue.
|