pxBackupManager takes security seriously. If you discover a security vulnerability, please report it responsibly by emailing hey@codemeapixel.dev instead of using the public issue tracker.
When reporting a security vulnerability, please provide:
- Description - A clear description of the vulnerability
- Location - Which file(s) or component(s) are affected
- Severity - Your assessment of the severity (Critical, High, Medium, Low)
- Steps to Reproduce - Instructions on how to reproduce the vulnerability
- Proof of Concept - Code or detailed steps demonstrating the vulnerability (optional but helpful)
- Potential Impact - Description of the potential harm
- 24 hours: Initial acknowledgment of your report
- 7 days: Initial assessment and proposed fix timeline
- 30 days: Target for publishing a security patch (may vary depending on complexity)
- Never commit credentials to version control (database passwords, API keys, S3 secrets)
- Use environment variables or secure configuration files for sensitive data
- Ensure backup directories have appropriate file permissions (e.g.,
chmod 700) - Store database passwords securely and restrict access to configuration files
- Store backups on a separate disk/filesystem from the server data
- Implement proper access controls on backup directories
- Consider encrypting backups at rest
- Verify backup integrity periodically
- Use IAM users/roles with minimal required permissions for S3 access
- Never share S3 credentials in logs or configuration files
- Use S3 bucket policies to restrict access
- Enable S3 server-side encryption for backups at rest
- Consider using temporary credentials with STS tokens
- Discord webhook URLs contain sensitive tokens
- Protect webhook URLs in configuration files
- Rotate webhook URLs periodically if they're exposed
- Use Discord permissions carefully when creating webhooks
- Create a dedicated backup user account with minimal privileges
- Restrict cron/systemd service permissions
- Use file permissions to control who can read/modify backups
- Implement proper authentication if backing up from multiple servers
# Create dedicated backup user
sudo useradd -r -s /bin/false backup
# Set restrictive permissions on backup directory
sudo mkdir -p /backups
sudo chown backup:backup /backups
sudo chmod 700 /backups
# Run backup tool with reduced privileges
sudo -u backup /path/to/pxBackupManager -db-name "your_db"- Run the backup tool with a dedicated service account
- Use Windows Task Scheduler with restricted permissions
- Store configuration in files with restricted NTFS permissions
- Use Windows credential manager for sensitive data
- Backups are point-in-time snapshots; they may not include data written between backup intervals
- MariaDB
mysqldumplocks tables during backup (use--single-transactionfor InnoDB) - Large backups may consume significant disk space
- Network bandwidth may be a bottleneck when uploading to S3
- Encryption of backups at rest using AES-256
- Backup integrity verification (SHA-256 checksums)
- Audit logging for backup operations
- Automatic backup deletion with secure wiping
- Integration with key management services
We recommend:
- Keep Go updated - Use the latest stable version of Go
- Monitor dependencies - Watch for security updates in AWS SDK and other dependencies
- Follow releases - Star the repository to be notified of security updates
- Update regularly - Apply updates as soon as they're released
Security updates are provided for:
- Current version (latest release)
- Previous major version (if applicable)
Older versions are not supported and may not receive security patches.
After a security patch is released, we will:
- Publish a security advisory on GitHub
- Document the vulnerability and fix in release notes
- Recommend all users update to the patched version
- Credit the security researcher (if they wish to be credited)
- Security Email: hey@codemeapixel.dev
- GitHub: https://github.com/CodeMeAPixel/pxBackupManager
Thank you for helping keep pxBackupManager secure!