We release patches for security vulnerabilities. Currently supported versions:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via GitHub Security Advisories:

1. Go to https://github.com/mjtpena/faborite/security/advisories/new
2. Click "Report a vulnerability"
3. Fill out the form with details about the vulnerability

Alternatively, you can email security concerns to michael@datachain.consulting.

Please include as much of the following information as possible:

• Type of issue (e.g. authentication bypass, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• We will acknowledge receipt of your vulnerability report within 48 hours
• We will provide a more detailed response within 7 days indicating next steps
• We will keep you informed of the progress towards a fix
• We may ask for additional information or guidance

• We ask that you do not publicly disclose the vulnerability until we've had a chance to address it
• Once a fix is released, we will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)
• We aim to patch critical vulnerabilities within 30 days of disclosure

When using Faborite:

• Never commit faborite.json with real workspace/lakehouse IDs to public repositories
• Use environment variables for sensitive configuration:

  export FABORITE_WORKSPACE_ID="your-id"
  export FABORITE_LAKEHOUSE_ID="your-id"

• When using Service Principal authentication, store credentials securely:
  • Use Azure Key Vault in production
  • Use environment variables, never hardcode secrets
  • Rotate credentials regularly

• Apply principle of least privilege to service principals
• Only grant read access to lakehouses that need to be synced
• Regularly audit access permissions

• Be mindful of sensitive data when syncing locally
• Use encryption for local data storage if required by your organization
• Follow your organization's data governance policies
• Never commit synced data (.faborite/ folder) to version control

• When possible, use private endpoints for Fabric/OneLake access
• Consider using VPN or private networks for sensitive data transfers

• Keep Faborite updated to the latest version
• We regularly update dependencies to address security issues
• Review our release notes for security patches

Faborite downloads data to your local machine. This data:

• Is stored in plain text (Parquet, CSV, JSON, or DuckDB)
• May contain sensitive information from your lakehouses
• Should be treated with the same security controls as your cloud data

Faborite uses Azure authentication tokens:

• Tokens are managed by Azure Identity SDK
• Tokens are cached by Azure SDK (typically in ~/.azure/)
• Token lifetime is controlled by Azure AD

We will announce security updates through:

• GitHub Security Advisories
• Release notes on GitHub
• Updated documentation

Subscribe to repository notifications to stay informed about security updates.

Faborite uses industry-standard libraries:

• Azure SDK for .NET: For secure Azure authentication and data access
• DuckDB: For local data processing (no network access)
• Polly: For resilient retry policies

We follow .NET security best practices and regularly update dependencies.

For general security questions (not vulnerability reports), please:

• Open a discussion in GitHub Discussions
• Email michael@datachain.consulting

Thank you for helping keep Faborite and its users secure!