db-backup-service is designed to run on an internal Docker or Kubernetes
network — alongside the PostgreSQL instance it backs up. It is not intended to
be exposed to the public internet.
The service uses:
- A single static bearer token (
API_TOKEN) for REST API authentication. - No TLS, rate limiting, WAF, or CORS — these must be provided by the operator (e.g. an upstream reverse proxy) if the service is ever reachable outside the internal network.
- No per-user authorization or audit logging. Per-user controls are the responsibility of the calling backend service.
See IDEA.md §13 for the full rationale.
Only the latest released version receives security fixes.
| Version | Supported |
|---|---|
| latest | yes |
| older | no |
Please report suspected security issues privately by email to:
hendrik.ebbers@open-elements.com
Do not open a public GitHub issue for security reports.
When reporting, please include:
- A description of the issue and its potential impact.
- Steps to reproduce, or a proof-of-concept if available.
- The affected version(s).
- Any suggested mitigations you have in mind.
You will receive an acknowledgement within five business days.
Fixed issues are disclosed publicly via the CHANGELOG.md and
release notes. We aim to coordinate public disclosure with the reporter, with a
default window of 90 days from the initial report. Critical issues with an
available exploit may be disclosed sooner.
- Vulnerabilities that require network access the threat model already excludes (e.g. an attacker on the same internal network as both the database and the service).
- Issues in third-party dependencies that are already disclosed upstream — please report those to the upstream project; we will track and patch via dependency updates.
- Misconfiguration by operators (e.g. exposing the service publicly without an
upstream proxy, or leaking
API_TOKEN).