| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| < 0.3 | ❌ |
We take security seriously. If you discover a vulnerability, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Email security reports to: security@rpaforge.dev (or create a private security advisory on GitHub)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release
RPAForge implements several security measures:
- Credential Management: Secure storage via the Credentials library
- Input Validation: All user inputs are validated before processing
- Sandboxed Execution: Diagram execution runs in isolated Python subprocess with resource limits (timeouts, memory constraints)
- IPC Security: Electron-Python bridge uses typed contracts
When using RPAForge:
- Never hardcode credentials - Use the Credentials library
- Limit automation scope - Grant minimal required permissions
- Review recorded scripts - Validate before production use
- Keep dependencies updated - Enable Dependabot alerts
- Audit selectors - Ensure selectors target correct elements
This project uses automated security scanning:
- CodeQL: Static analysis for Python and TypeScript
- Dependabot: Dependency vulnerability alerts
- Secret Scanning: GitHub detects exposed secrets