We take security seriously. If you discover a security vulnerability, please follow these steps:

• Open a public GitHub issue for security vulnerabilities
• Disclose the vulnerability publicly before it's fixed

1. Email the maintainers with details about the vulnerability
2. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Initial Assessment: Within 7 days, we will provide an initial assessment
• Resolution Timeline: We aim to fix critical vulnerabilities within 30 days
• Disclosure: We will coordinate disclosure timing with you

When deploying sensor_app, follow these security practices:

• Never commit .env files to version control
• Store secrets securely (use vault solutions in production)
• Rotate Telegram tokens periodically
• Use restrictive file permissions for .env files:

  chmod 600 .env

• Run containers as non-root user (default in our Containerfile)
• Use read-only file systems where possible
• Limit container capabilities (configured in Quadlet with --cap-drop=all)
• Use --security-opt=no-new-privileges for additional security

• Use HTTPS for Telegram API (default)
• Consider network isolation for the container
• Limit outbound connections if possible

• Database files are stored in /app/data by default
• Ensure proper file permissions on host volumes
• Consider encryption at rest for sensitive deployments
• Review data retention settings (DATA_RETENTION_DAYS)

• Log files may contain sensitive timing information
• Ensure log directory has restricted permissions
• Consider log rotation and secure deletion

• Regularly update dependencies using Dependabot
• Review security advisories for dependencies
• Run pip-audit to check for known vulnerabilities:

  pip install pip-audit
  pip-audit

• Sensor values are validated against expected ranges
• Serial input is sanitized before processing
• Database queries use parameterized statements

• Telegram notifications have configurable rate limiting
• Prevents accidental notification flooding

• Non-root user in container
• Restrictive directory permissions (0o700)
• WAL mode for database integrity

No known vulnerabilities at this time.

For security concerns, contact the maintainers through:

• GitHub security advisories (preferred for confirmed vulnerabilities)
• Direct email to maintainers

Thank you for helping keep sensor_app secure!