| Version | Supported |
|---|---|
| 0.1.x | ✅ |
To report a vulnerability privately (not visible to the public), use GitHub's Private Vulnerability Reporting feature. Do not open a public issue for security vulnerabilities.
If you prefer email, you may also contact byron@williamscpa.com with full details. Email reports are treated with the same confidentiality as GitHub private advisories.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We aim to respond within 48 hours and provide a fix timeline within 7 days. We commit to acknowledging all vulnerability reports within 14 days of submission (in practice we target 48 hours).
This project follows security best practices:
- Dependency Scanning: Automated via Dependabot and Safety
- Static Analysis: Bandit for Python security issues
- Code Review: All changes require review before merge
- Signed Commits: GPG-signed commits required
- FIPS Compliance: Code is checked for FIPS 140-2/140-3 compatibility
LLC Manager is a FastAPI application that stores and serves sensitive business data: EINs, ownership percentages, compliance deadlines, and associated legal documents. The primary attack surface is:
- ORM/SQL injection: search and filter parameters on entity endpoints are passed through SQLAlchemy; all queries use parameterized statements, but new endpoints must follow the same pattern.
- Authentication gap: Phase 0 ships with no auth layer. Deployments must sit behind a network boundary or reverse proxy with auth until Phase 1 (OAuth2/OIDC) ships.
- SSRF: external integrations could trigger server-side requests;
middleware/security.pyblocks private-range destinations. - Secrets exposure: database credentials and API keys live in environment variables;
.envis git-ignored and GitHub secret scanning is enabled. - Supply-chain: GitHub Actions workflows use SHA-pinned action refs;
slsa-provenance.ymlgenerates SLSA Level 3 attestations for releases.
Mitigations in place: Bandit SAST, pip-audit, detect-secrets pre-commit hook, required-status-check rulesets, and signed commits.
| Field | Value |
|---|---|
| CVE | CVE-2025-53000 |
| GHSA | GHSA-xm59-rqc7-hhvf |
| Severity | High (CVSS 8.5) |
| Package | nbconvert <= 7.16.6 |
| Status | Accepted Risk |
Description: Uncontrolled search path vulnerability on Windows that allows code execution
via a malicious inkscape.bat file when converting notebooks with SVG to PDF.
Risk Assessment:
- Platform: Windows-only (this project is developed and deployed on Linux)
- Scope: Development dependency only (not in production)
- Usage: Project does not use notebook-to-PDF conversion
- Upstream Fix: No patched version available as of 2026-01-18
Mitigation: The risk is tolerable for development use. Will upgrade when a fix is released.
Security updates are applied as follows:
- Critical/High: Within 7 days of disclosure
- Medium: Within 30 days
- Low: Next scheduled release