We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of FDE seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public issue on GitHub
- Publicly disclose the vulnerability before it has been addressed
- Email us at security@your-domain.com (or create a private security advisory on GitHub)
- Include details:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment - We'll acknowledge your report within 48 hours
- Updates - We'll keep you informed about our progress
- Credit - We'll credit you in the security advisory (unless you prefer to remain anonymous)
When using FDE:
- Keep tokens secure - Never commit tokens to version control
- Use strong tokens - Generate random, long tokens (32+ characters)
- HTTPS only - Always use HTTPS in production
- Regular updates - Keep FDE updated to the latest version
- Limit access - Restrict server access to trusted networks
- Review logs - Regularly check deployment logs for suspicious activity
# server.yaml
port: 3000
environments:
prod:
# Use environment variable, not hardcoded token
token: ${DEPLOY_TOKEN}
uploadPath: "/var/www/html"
deployCommand: "nginx -s reload"# Set token via environment variable
export DEPLOY_TOKEN=$(openssl rand -hex 32)- Token-based authentication - Tokens should be treated like passwords
- File uploads - Only accept uploads from trusted sources
- Command execution - Deploy commands run with server privileges
- Checksum verification - Always enable checksum verification in production
Security updates will be released as patch versions and announced via:
- GitHub Security Advisories
- GitHub Releases
- CHANGELOG.md
Thank you for helping keep FDE secure! 🔒