Skip to content

Security: adityatawde9699/LibraryPro

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
2.x (current)
1.x (prototype) ❌ End-of-life

Reporting a Vulnerability

Please do NOT report security vulnerabilities through public GitHub Issues.

Instead, contact the maintainer privately:

  1. Open a GitHub Security Advisory (preferred — keeps the report confidential until patched).
  2. Or email the maintainer directly. The email address can be found on their GitHub profile.

Please include as much detail as possible:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce or a Proof-of-Concept.
  • Your suggested fix if you have one.

You can expect an acknowledgement within 72 hours and a patch or mitigation plan within 14 days for critical issues.


Security Considerations

Local data storage

LibraryPro stores all data in a local SQLite file (library.db). This file is not encrypted. In a shared environment, ensure:

  • The file resides in a directory with appropriate OS-level permissions.
  • Access is restricted to the library system user account.

Authentication

  • Passwords are currently stored in plaintext in the users table. This is appropriate for a local single-workstation deployment but not for a networked environment.
  • Future versions will store passwords as bcrypt hashes.
  • The default credentials (admin / admin) must be changed immediately after the first login.

No network exposure

LibraryPro is a pure desktop application with no built-in network interface, REST API, or web server. It does not transmit any data over the network during normal operation. The only outbound network activity is during dependency download (build.sh deps / download_libs.ps1), which fetches JARs from Maven Central over HTTPS.

Dependency supply chain

All dependencies are fetched directly from Maven Central over HTTPS. To verify the integrity of downloaded JARs, compare their SHA-1 checksums against the .sha1 files available at the same Maven Central URLs.


Changelog of Security Fixes

Version Date CVE / Description
No security fixes yet

There aren't any published security advisories