We take security seriously. If you discover a security vulnerability in feedreader, please report it responsibly by emailing hi@boringcode.dev instead of using the public issue tracker.
When reporting a security issue, please include:
- A description of the vulnerability
- Steps to reproduce the issue (if applicable)
- The affected version(s)
- Any potential impact or proof of concept
We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly.
Since feedreader is a self-hosted application, the following best practices are recommended:
- Run feedreader behind a reverse proxy (nginx, Caddy, etc.) with TLS/HTTPS enabled
- Use a firewall to restrict access to the application
- Consider running the application in an isolated network segment
- Store the SQLite database file on an encrypted filesystem
- Regularly back up the database
- Ensure proper file permissions on the data directory
- Keep the base Docker image and Go runtime updated
- Run the container with minimal required privileges
- Use secrets management for sensitive configuration values
- Monitor dependencies for security updates
- Keep Go and other dependencies current
Security updates will be provided for:
- The current release and latest version
- The previous minor version if critical
We aim to:
- Acknowledge receipt of the report within 48 hours
- Begin investigation and reproduce the issue
- Develop and test a fix
- Publish a security release (if needed)
- Notify the reporter of the resolution
We appreciate your responsible disclosure and will credit you appropriately unless you prefer to remain anonymous.