Reference

Security

Threat model, 0% data egress guarantee, vulnerability disclosure, audit log for gov/finance compliance.

2026-05-27

Threat model

Past audit log

Wszystkie znalezione issues + fixes dostępne w git log. Sumaryzacja:

DateSeverityIssueStatus
2026-05-27HIGHXSS via label reflected unescaped in HTMLResponse (settings router)✓ Fixed (commit a8e4af3)
2026-05-27CRITICAL_cache_put silently swallowing TypeError✓ Fixed
2026-05-27CRITICAL_reader() outer Exception losing traceback✓ Fixed
2026-05-27HIGH_maybe_post_comment unexpected exception✓ Fixed
2026-05-27HIGHsettings.py bare Exception masking DB errors✓ Fixed (narrowed do VaultError)
2026-05-27HIGHkill_job bare except pass✓ Fixed (log.warning)
2026-05-26MEDIUM (×5)UI Task 17 audit (2 CRIT + 5 HIGH)✓ All fixed

Vulnerability disclosure

Do NOT open public GitHub issue for security vulnerabilities.
  1. Email: filipiuk.bartek@gmail.com
  2. Subject: [SECURITY] + krótki opis
  3. PGP key na request
  4. Response w 72h, fix target 14 dni dla high/critical

Compliance (Enterprise tier)

Why "0% data egress" matters

Drupal jest często used dla:

Generic AI tools (CodeRabbit, Copilot, Greptile) wysyłają kod do US/cloud APIs — niemożliwe dla tych branż. DCR działa na Twoim hardware, no API calls leave VPC.

Full security policy: SECURITY.md on GitHub

Edit on GitHub