Skip to content

Security: DylanDevelops/tmpo

SECURITY.md

Security Policy

Supported Versions

We release security updates for the following versions of tmpo:

Version Supported
0.8.x
< 0.8.0

We recommend always using the latest stable release to ensure you have the most recent security patches.

Security Considerations

tmpo is a local-first CLI tool that stores time tracking data on your machine. Here are some security aspects to be aware of:

Local Data Storage

  • All time entries are stored in a SQLite database at $HOME/.tmpo/tmpo.db
  • The database is only accessible to your user account (standard file permissions apply)
  • Your time tracking data is never transmitted over the network

Update Checks

  • When you run tmpo version, tmpo performs a check for newer releases by making a read-only request to the GitHub API (https://api.github.com/repos/DylanDevelops/tmpo/releases/latest)
  • Only the latest release metadata is fetched; no time tracking data, configuration, or personal information is sent
  • The request fails silently if you are offline, so it never blocks or interrupts your workflow
  • You can disable this network request entirely by setting the TMPO_NO_UPDATE_CHECK environment variable to 1, true, or yes

Configuration Files

  • .tmporc files may contain project-specific configuration including hourly rates
  • These files are stored in plain text and inherit directory permissions
  • Be cautious when committing .tmporc files to version control if they contain sensitive rate information

Git Integration

  • tmpo uses Git commands for automatic project detection
  • Only basic Git metadata (repository name) is accessed
  • No Git credentials or remote repository data is used

Reporting a Vulnerability

If you discover a security vulnerability in tmpo, please report it responsibly:

Preferred Method:

Report via GitHub Security Advisories

What to Include:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Affected versions (if known)
  • Potential impact
  • Any suggested fixes (optional)

Response Timeline:

  • We will acknowledge your report within 48 hours
  • We will provide an initial assessment within 5 business days
  • We will work to release a fix as quickly as possible depending on severity

Responsible Disclosure:

Please do not publicly disclose the vulnerability until we have had a chance to address it and release a fix. We will credit security researchers who report valid vulnerabilities (unless you prefer to remain anonymous).

Security Best Practices

When using tmpo, we recommend:

  • Keep your tmpo binary updated to the latest version
  • Be mindful of what information you include in time entry descriptions
  • Review .tmporc files before committing them to public repositories
  • Use appropriate file permissions for your ~/.tmpo/ directory
  • Regularly backup your time tracking data if it's business-critical

There aren't any published security advisories