Skip to content

Security: PerpetualSoftware/pad

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Pad, please do not open a public issue.

Instead, report it privately:

Please include:

  • A description of the vulnerability
  • Steps to reproduce it
  • The potential impact
  • Any suggested fixes (if you have them)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 1 week
  • Fix or mitigation: Depends on severity, but we aim for:
    • Critical: 72 hours
    • High: 1 week
    • Medium/Low: Next release

Scope

Pad runs as a local server on the user's machine. Security concerns include:

  • Data integrity — Pad stores project data in SQLite; unauthorized modification or deletion is a security issue
  • Network exposure — outside Docker, Pad binds to localhost by default; in Docker, exposure depends on host-side port publishing, and any vulnerability that widens access beyond the intended deployment is in scope
  • Code injection — Any path where user input (item content, wiki-links, field values) could lead to code execution
  • Path traversal — Any way to read or write files outside the workspace directory
  • Embedded web UI — XSS or other web vulnerabilities in the SvelteKit frontend

Out of Scope

  • Vulnerabilities in dependencies (please report those upstream, but let us know so we can update)
  • Issues that require physical access to the machine
  • Social engineering

Supported Versions

We provide security fixes for the latest release only.

Version Supported
Latest
Older

There aren't any published security advisories