Reporting Vulnerabilities

FreeSDN manages real networks, devices, and credentials. Security vulnerabilities have real consequences. The project takes security reports seriously and responds promptly.

How to report

Use GitHub Private Vulnerability Reporting:

Go to the repository’s Security tab.
Click “Report a vulnerability”.
Or go directly to https://github.com/freesdn/freesdn/security/advisories/new.

Reports stay confidential between you and the maintainers until a fix ships. A CVE or GHSA is coordinated through the same advisory.

What to include

Affected version (check GET /api/v1/health/detail - requires authentication with settings:read permission; alternatively, check the version label in the admin dashboard Settings page).
Steps to reproduce - the more specific, the faster we can triage.
Potential impact and the access level required.
A suggested fix if you have one (appreciated but not required).

Response timeline

Milestone	Target
Acknowledge receipt	Within 48 hours
Initial triage and severity assessment	Within 5 business days
Patch for critical issues	Within 30 days

Scope

All components in the repository are in scope: backend API, frontend, agent, plugin SDK, marketplace, Docker Compose artifacts, and all 13 adapters (Omada, OPNsense, pfSense, MikroTik, OpenWrt, Hikvision, ONVIF, UniFi Protect, FreePBX, Grandstream, Proxmox, TrueNAS, UniFi).

Supported versions

Version	Status
26.06.x	Active support
26.05.x	Security patches only (through 2026-09-30)
<= 26.04	End of life

Running the built-in security scanner

FreeSDN ships a unified security scanner:

# Check which tools are available
python scripts/security-audit.py --check-tools

# Run all available scans
python scripts/security-audit.py

# Run specific scans
python scripts/security-audit.py --python   # pip-audit (Python CVEs)
python scripts/security-audit.py --npm      # npm audit (JS CVEs)
python scripts/security-audit.py --docker   # Trivy (container image CVEs)
python scripts/security-audit.py --lint     # Hadolint (Dockerfile best practices)
python scripts/security-audit.py --sast     # Bandit (Python static analysis)

Dependency management

Dependabot opens weekly PRs for Python, npm, and Docker image updates.
poetry.lock and package-lock.json provide deterministic, auditable builds.
Security-critical packages are explicitly pinned (e.g. cryptography >= 48.0.0, urllib3 >= 2.7.0).

Security testing and review

This release includes automated tests and internal review, but no third-party security audit or certification is claimed. Security regression tests live under backend/tests/security/test_pentest_*.py.

Security controls

The platform ships the following controls, exercised by the automated test suite:

Class	Control
SSRF	Every outbound sink routes through `safe_http_request` (resolve-once + IP-pin, no redirects)
Site-grant / cross-tenant	`assert_can_access_site` / `site_scope_filter` applied across actions, agent schedules, discovery, NVR create
Staged-write boundary	A universal read-only/force gate plus a task-local `apply_window` guards every adapter write
Agent auto-update signing	ECDSA-signed releases; agent fails closed on missing/invalid signature; persistent TOFU key pin
Marketplace signing	Ed25519 signature over canonical catalog; unsigned catalog refused by default
Plugin confused-deputy	Plugin executes with plugin ∩ caller authority - the intersection of the plugin’s declared capabilities and the authenticated caller’s own FreeSDN permissions (`CAN-015`).
Omada path traversal (CAN-017)	Decode-until-stable + reject `..`/whitespace/control/backslash; validate == transmit
CI supply-chain	All third-party GitHub Actions pinned to commit SHAs with Dependabot maintaining pins

A threat model and residual-risk register are maintained for the project and are available to support a deployer’s own security assessment.