| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| < 3.0 | ❌ |
If you discover a security issue, please do not open a public GitHub issue.
Use GitHub private vulnerability reporting. On the repository, open the Security tab and click Report a vulnerability. Your report stays private until we publish an advisory.
Include:
- A description of the vulnerability
- Steps to reproduce
- Impact assessment (e.g. credential exposure, remote code execution)
- Any suggested fix, if you have one
We will acknowledge receipt and work on a fix as soon as possible. For credential leaks, assume rotation is required immediately.
- Never commit
secrets.env,config.ini, or AWS keys to git. - Use
secrets.env(see.env.example) or environment variables when possible. - Scope IAM permissions to a single bucket — see docs/aws-iam-policy.json.
- Rotate any credentials that were ever committed to older versions of this repository.
setup.shsetssecrets.envandconfig.inito mode600. Keep them owner-readable only.- Log files in
logs/may contain paths and upload metadata; restrict access on shared systems.
- Keep
make_public = falseunless you explicitly need public objects. - Many buckets disable ACLs; use bucket policies instead of object ACLs.
- Review bucket policies and block public access settings in AWS.
shutdown_afterand--shutdownrequire passwordlesssudoforshutdown -h now.- Only install docs/sudoers-cloudberry-shutdown for the dedicated Pi user on field devices.
- Do not grant broader sudo access than necessary.
- Python 3.9+ required (
pyproject.toml). - Install with
pip install -e ".[dev]"locally orpip install -e ".[pi]"on a Pi. - Dependabot opens PRs for pip and GitHub Actions updates.
- Review dependency updates before merging, especially on production Pis.
- Cloudberry is designed for single-user, single-device field deployment — not multi-tenant or internet-exposed services.
- Preflight checks validate connectivity but do not perform full security auditing.