Skip to content

Security: adamsimms/cloudberry

SECURITY.md

Security Policy

Supported versions

Version Supported
3.0.x
< 3.0

Reporting a vulnerability

If you discover a security issue, please do not open a public GitHub issue.

Use GitHub private vulnerability reporting. On the repository, open the Security tab and click Report a vulnerability. Your report stays private until we publish an advisory.

Include:

  • A description of the vulnerability
  • Steps to reproduce
  • Impact assessment (e.g. credential exposure, remote code execution)
  • Any suggested fix, if you have one

We will acknowledge receipt and work on a fix as soon as possible. For credential leaks, assume rotation is required immediately.

Security best practices for deployments

AWS credentials

  • Never commit secrets.env, config.ini, or AWS keys to git.
  • Use secrets.env (see .env.example) or environment variables when possible.
  • Scope IAM permissions to a single bucket — see docs/aws-iam-policy.json.
  • Rotate any credentials that were ever committed to older versions of this repository.

Local files

  • setup.sh sets secrets.env and config.ini to mode 600. Keep them owner-readable only.
  • Log files in logs/ may contain paths and upload metadata; restrict access on shared systems.

S3 access

  • Keep make_public = false unless you explicitly need public objects.
  • Many buckets disable ACLs; use bucket policies instead of object ACLs.
  • Review bucket policies and block public access settings in AWS.

Shutdown hook

  • shutdown_after and --shutdown require passwordless sudo for shutdown -h now.
  • Only install docs/sudoers-cloudberry-shutdown for the dedicated Pi user on field devices.
  • Do not grant broader sudo access than necessary.

Dependencies

  • Python 3.9+ required (pyproject.toml).
  • Install with pip install -e ".[dev]" locally or pip install -e ".[pi]" on a Pi.
  • Dependabot opens PRs for pip and GitHub Actions updates.
  • Review dependency updates before merging, especially on production Pis.

Known limitations

  • Cloudberry is designed for single-user, single-device field deployment — not multi-tenant or internet-exposed services.
  • Preflight checks validate connectivity but do not perform full security auditing.

There aren't any published security advisories