We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.4.x | ✅ |
| < 1.4 | ❌ |
We take the security of QRTAK seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Open a public issue
- Disclose the vulnerability publicly before we've had a chance to fix it
- Email us at: joshuafuller@users.noreply.github.com
- Provide detailed steps to reproduce the vulnerability
- Include the impact and potential exploit scenarios
- Allow us reasonable time to respond and fix the issue
- An acknowledgment within 48 hours
- Regular updates on our progress
- Credit in the release notes (unless you prefer to remain anonymous)
This project implements several security measures:
- Dependabot: Automated dependency updates
- CodeQL: Static analysis for security vulnerabilities
- Trivy: Container vulnerability scanning
- Grype: Additional container security validation
- OSSF Scorecard: Security best practices evaluation
- Snyk: Dependency vulnerability scanning
- All dependencies are locked with exact versions
- SBOM (Software Bill of Materials) generated for each release
- All GitHub Actions are pinned to specific SHA commits
- Automated security updates via Dependabot
- Content Security Policy (CSP) headers
- No external dependencies in production code (except QR code library)
- Input validation and sanitization
- Secure defaults for all configurations
- Always use HTTPS when deploying QRTAK
- Keep your instance updated with the latest security patches
- Use strong passwords for TAK server connections
- Verify QR codes before scanning in production environments
- Run in containers for better isolation
- Enable all security headers in your web server configuration
When we receive a security report, we will:
- Confirm the vulnerability
- Determine the affected versions
- Develop a fix
- Release a security update
- Publicly disclose the vulnerability details
We aim to complete this process within 30 days of the initial report.
We'd like to thank the following security researchers for responsibly disclosing vulnerabilities:
None reported yet - be the first!